Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

18,000 Android Apps Violate Google’s Ad ID Policies: Analysis

Mobile privacy reasearch group AppCensus has discovered 18,000 Android applications that violate Google Play’s advertising identifier (ad ID) policies and users’ privacy. 

Mobile privacy reasearch group AppCensus has discovered 18,000 Android applications that violate Google Play’s advertising identifier (ad ID) policies and users’ privacy. 

The ad ID is a persistent identifier introduced in 2013 on both Android and iOS to make it easier for users to preserve their privacy and both Apple and Google forbid the sharing of a device’s ad ID alongside other identifiers, to prevent user tracking.

Before ad ID, the various persistent identifiers used by mobile applications couldn’t be erased in an easy manner, which made it possible to effortlessly track used across websites. Such identifiers include the Android ID, device’s serial number, IMEI, WiFi MAC address, SIM card serial number, and the like.

While these persistent identifiers can’t be erased (the Android ID requires a factory reset, which involves deleting all data on the device), the ad ID can be reset at will, just as cookies in a browser. 

As this was meant to provide users with increased control over their privacy, policies put in place prohibit the sharing of the ad ID alongside other persistent trackers, so as to prevent continuous user tracking if the ad ID has been reset. 

“The advertising identifier must not be connected to personally-identifiable information or associated with any persistent device identifier (for example: SSAID, MAC address, IMEI, etc.) without explicit consent of the user,” Google notes in Play’s developer policy center

What AppCensus discovered, however, was that tens of thousands of applications did not comply with the policy, and that they did transmit the ad ID alongside other persistent identifiers to advertisers. 

In September 2018, of the 24,000 apps found to transmit the ad ID, 17,000 would transmit it alongside another persistent identifier, and AppCensus reported them to Google. The issue, however, remains unsolved. 

Advertisement. Scroll to continue reading.

In fact, AppCensus says there are 18,000 applications in violation of Google Play’s ad ID policy at the moment, including some highly popular programs that have hundreds of millions of users in Google Play. 

The top 5 most popular such applications are Clean Master – Antivirus, Cleaner & Booster and Subway Surfers, each with over 1 billion downloads, and Flipboard: News For Our Time, My Talking Tom, and Temple Run 2, with over 500 million downloads each. The remaining 15 apps in top 20 most popular have over 100 million downloads each. 

“All of the domains receiving the data in the right-most column are either advertising networks, or companies otherwise involved in tracking users’ interactions with ads,” AppCensus says. 

The company also notes that Google hasn’t provided them with any information on the issue although the report was submitted 5 months ago and the number of applications violating the ad ID policy has increased in the meantime. 

“The problem with all of this is that Google is providing users with privacy controls (see above image), but those privacy controls don’t actually do anything because they only control the ad ID, and we’ve shown that in the vast majority of cases, other persistent identifiers are being collected by apps in addition to the ad ID,” AppCensus notes. 

Related: Google Accused of Manipulation to Track Users

Related: Facebook Admits to Tracking Non-Users Across the Internet

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.