How advertisers learn which Android apps you use

Credit to Author: Sergey Golubev| Date: Mon, 09 Dec 2019 13:54:09 +0000

We have already covered the mechanisms of Internet advertising and tricks advertising networks use to learn about the websites you visit. But your virtual life hardly consists of websites alone. It is very likely that you spend a good portion of your time in mobile applications — and they, too, make money on ads: Just like websites, they cooperate with advertising networks.

To enable advertisers to collect a detailed dossier on you so they can deliver personalized ads, mobile apps feed them information about your device — even information Google doesn’t permit them to use for advertising.

What info can help track your Android device?

What can apps tell an advertising network about your smartphone? First, that they are installed on the device. With this information from a number of apps, the advertising network is able to learn what your interests are, and which ads are most likely to hook you. For example, if you take a lot of selfies, and you have Instagram and Snapchat installed on your phone, you may appreciate apps offering image filters and effects.

Advertising networks use identifiers to make sure they know the precise device running each app. Every Android smartphone or tablet normally has several such identifiers — and most of them were never intended to assist advertisers.

Thus, unique IMEI codes help identify phones in cellular networks and, say, block stolen devices. A serial number can help find all gadgets of the same defective batch to recall them from stores. A MAC address — yet another unique identifier — enables networking and in particular can be of use in restricting the list of gadgets you authorize to share your home Wi-Fi. Finally, app developers use Android IDs (aka SSAIDs) to manage licenses for their products.

For a long time, no separate advertising identifier existed at all, so apps used to share the above mentioned IDs with their partners. And users basically had no way to escape personalized ads: IMEI or MAC are unique codes enabling straightforward identification of any device. Every time an advertising network receives one, the network understands that the app has been installed on your specific phone.

In theory, these codes are modifiable — there are apps for that too — but modifying them is not that easy, and even worse, doing so puts your phone at risk. The thing is, you need root access for experiments like that, and rooting makes your device vulnerable. In addition, manipulations such as IMEI tweaking are illegal in some countries.

It is easier just to change the Android ID: Simply reset your phone or tablet to factory settings and that’s that. But once you do that, you will have to set up everything anew, including reinstalling all of your apps and signing in to each and every one of them. In short, it’s a pain in the neck, so not many people are willing to do it often.

Advertising ID — theory

In 2013, to achieve a compromise between Android users and the advertising industry, Google introduced a dedicated advertising ID. Google Play services assigns the ID, and users can reset it and create a new one if they need to, through Settings → Google → Ads → Reset advertising ID. On the one hand, the identifier enables advertising networks to trace the habits and hobbies of device users. On the other hand, if you don’t like the idea of advertisers spying on you, you can easily reset the ID any time you like.

Google Play store rules state that advertisers may use the dedicated advertising ID only, and no others, for advertising purposes. The platform does not forbid linking this ID with other identifiers, but apps need to secure users’ consent for that.

The expectation was that if you don’t mind personalized ads, you’ll just leave the advertising ID alone and may even choose to allow apps to link it with anything they like. If you do mind them, you can put a ban on linking this ID with other IDs and reset the ID from time to time, thereby disconnecting your device from the previously collected dossier. Alas, the reality defeats this expectation.

Advertising ID — reality

According to researcher Serge Egelman, more than 70% of Google Play apps use at least one extra identifier without notification. Some of them — for example, 3D Bowling, Clean Master, and CamScanner have been downloaded by millions of people.

Most of them use Android IDs, but IMEIs, MAC addresses, and serial numbers come in handy as well. Some apps send their partner networks three or more identifiers at the same time. For example, the game 3D Bowling uses the advertising ID, IMEI, and Android ID.

Such practices render the very idea of advertising IDs pointless. Even if you resent spying and keep resetting your advertising ID, the ad network will use other, more persistent identifiers to attach a fresh advertising ID to your existing profile.

Malicious Android app had more than 100 million downloads in Google Play

Even though such behavior goes against Google Play’s rules, it is not easy to track down ID-abusing apps. Google checks all apps prior to release, but many less-than-honest authors have found workarounds. Even miners find their way into the store — no surprise that apps lacking any openly malicious features usually go unnoticed.

Google cannot simply deny such apps access to device identifiers; they’re useful for more than advertising. For example, by denying mobile apps access to the Android ID, Google would prevent app developers from protecting their products from illegal copying, thereby infringing on their rights.

Battling annoying ads

Of course, Google has introduced measures to restrict ID abuse. Thus, beginning with Android Oreo, each app will get its own Android ID. So, for advertising networks relying on this ID instead of the advertising ID, your Instagram will appear to be installed on one device and your Snapchat on another, thus rendering this data useless for accurate targeting.

However, IMEIs, serial numbers, and MAC addresses cannot receive such protection, and the market is full of smartphones and tablets that run older versions of Android and will never get updated to Android Oreo. We therefore advise restricting data collection through app management.

  • Delete unwanted apps regularly; the fewer apps installed, the less data advertising networks will collect.
  • Do not give unnecessary permissions to the apps you choose to keep. This precaution will not rid you of spying completely, but it’ll at least keep apps from giving away your IMEI indiscriminately. In this case, it’s the Phone permission that gives apps access to IMEI. The same permission lets apps learn your phone number, view your call history, make calls (at your expense) and much more, so we don’t recommend allowing it.

https://blog.kaspersky.com/feed/