Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

18,000 Android Apps Violate Google’s Ad ID Policies: Analysis

Mobile privacy reasearch group AppCensus has discovered 18,000 Android applications that violate Google Play’s advertising identifier (ad ID) policies and users’ privacy. 

Mobile privacy reasearch group AppCensus has discovered 18,000 Android applications that violate Google Play’s advertising identifier (ad ID) policies and users’ privacy. 

The ad ID is a persistent identifier introduced in 2013 on both Android and iOS to make it easier for users to preserve their privacy and both Apple and Google forbid the sharing of a device’s ad ID alongside other identifiers, to prevent user tracking.

Before ad ID, the various persistent identifiers used by mobile applications couldn’t be erased in an easy manner, which made it possible to effortlessly track used across websites. Such identifiers include the Android ID, device’s serial number, IMEI, WiFi MAC address, SIM card serial number, and the like.

While these persistent identifiers can’t be erased (the Android ID requires a factory reset, which involves deleting all data on the device), the ad ID can be reset at will, just as cookies in a browser. 

As this was meant to provide users with increased control over their privacy, policies put in place prohibit the sharing of the ad ID alongside other persistent trackers, so as to prevent continuous user tracking if the ad ID has been reset. 

“The advertising identifier must not be connected to personally-identifiable information or associated with any persistent device identifier (for example: SSAID, MAC address, IMEI, etc.) without explicit consent of the user,” Google notes in Play’s developer policy center

What AppCensus discovered, however, was that tens of thousands of applications did not comply with the policy, and that they did transmit the ad ID alongside other persistent identifiers to advertisers. 

In September 2018, of the 24,000 apps found to transmit the ad ID, 17,000 would transmit it alongside another persistent identifier, and AppCensus reported them to Google. The issue, however, remains unsolved. 

In fact, AppCensus says there are 18,000 applications in violation of Google Play’s ad ID policy at the moment, including some highly popular programs that have hundreds of millions of users in Google Play. 

The top 5 most popular such applications are Clean Master – Antivirus, Cleaner & Booster and Subway Surfers, each with over 1 billion downloads, and Flipboard: News For Our Time, My Talking Tom, and Temple Run 2, with over 500 million downloads each. The remaining 15 apps in top 20 most popular have over 100 million downloads each. 

“All of the domains receiving the data in the right-most column are either advertising networks, or companies otherwise involved in tracking users’ interactions with ads,” AppCensus says. 

The company also notes that Google hasn’t provided them with any information on the issue although the report was submitted 5 months ago and the number of applications violating the ad ID policy has increased in the meantime. 

“The problem with all of this is that Google is providing users with privacy controls (see above image), but those privacy controls don’t actually do anything because they only control the ad ID, and we’ve shown that in the vast majority of cases, other persistent identifiers are being collected by apps in addition to the ad ID,” AppCensus notes. 

Related: Google Accused of Manipulation to Track Users

Related: Facebook Admits to Tracking Non-Users Across the Internet

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...