A Small Set of Android Apps Exposed the Data of Over 100 Million Users
Last updated September 25, 2021
In blatant violation of Google’s advertising data collection policy, about 17000 apps for the Android platform were found to collect user identification information and keep a history record even if the users choose to limit ad tracking. This discovery was the result of research carried out by the International Computer Science Institute. The researchers have found that many thousands of Android apps use persistent identifiers to track user activity and correlate it with previous tracking instances, based on the device IMEI, or MAC address signature.
This is the opposite of what Google’s best developer practices guideline suggests, which only allows the user-tracking through the “advertising ID” that gets reset in each tracking session. By using solely the ad ID, apps cannot connect previous tracking sessions with new ones, and so a certain level of user privacy is retained. Google forbids the combination of ad ID with hardware identifiers like the IMEI, or any other number that cannot be reset. However, there’s nothing in place to stop app developers from bypassing this guideline, and with the number of apps that follow this practice being in the thousands, it is evident that those who disregard Google’s opinion on how things should work are many.
Some of the most popular and widely used apps that were found to violate Google’s advertising data management policy is the antivirus and device cleaner tool known as “Clean Master”, the 1 billion-installs game “Subway Surfers”, “Angry Birds Classic”, “Banana Kong”, “8 Ball Pool”, “Temple Run 2”, “Cooking Fever” and “Cut The Rope”. Camera beauty apps, battery coolers, and 3rd party keyboards are also to be found in the list, as usual. In total, there are about 17000 apps which use persistent identifiers in relation to their ad serving system, so the chances of having at least one in your phone are very high.
Serge Egelman, the leader of the research team, clarifies that they reported the above about five months ago, with Google responding nothing about it. With CNET publishing the report findings, however, the matter got more extensive publicity, and a Google spokesperson stated that: “We take these issues very seriously. Combining Ad ID with device identifiers for the purpose of ads personalization is strictly forbidden. We're constantly reviewing apps – including those listed in the researcher's report – and will take action when they do not comply with our policies.”
What would you say is a fair way to treat these apps? Let us know in the comments below, and don’t forget to like and subscribe on our socials, on Facebook and Twitter.