18,000 Android Apps Track Users By Violating Advertising ID Policies

18,000 Android apps with tens or hundreds of millions of installs on the Google Play Store have been found to violate Google's Play Store Advertising ID policy guidance by collecting persistent device identifiers such as serial numbers, IMEI, WiFi MAC addresses, SIM card serial numbers, and sending them to mobile advertising related domains alongside ad IDs. Bleeping Computer reports: AppCensus is an organization based in Berkeley, California, and created by researchers from all over the world with expertise in a wide range of fields, ranging from networking and privacy to security and usability. The project is supported by "grants from the National Science Foundation, the Department of Homeland Security, and the Data Transparency Lab." By highlighting this behavior, AppCensus shows that while users are being offered the option to reset the advertising ID, doing so will not immediately translate into getting a new "identity" because app developers can also use a multitude of other identifiers to keep their tracking and targeting going.

Google did not yet respond to a report sent by AppCensus in September 2018 containing a list of 17,000 Android apps that send persistent identifiers together with ad IDs to various advertising networks, also attaching a list of 30 recipient mobile advertising related domains where the various IDs were being sent. While looking at the network packets sent between the apps and these 30 domains, AppCensus observed that "they are either being used to place ads in apps, or track user engagement with ads." In a statement to CNET, a Google spokesperson said: "We take these issues very seriously. Combining Ad ID with device identifiers for the purpose of ads personalization is strictly forbidden. We're constantly reviewing apps -- including those listed in the researcher's report -- and will take action when they do not comply with our policies."

Some of the most popular applications found to be violating Google's Usage of Android Adverting ID policies include Clean Master, Subway Surfers, Flipboard, My Talking Tom, Temple Run 2, and Angry Birds Classic. The list goes on and on, and the last app in the "Top 20" list still has over 100 million installations.

Shocked, shocked to find gambling going on here

[sinij]

Google, here is your winnings.

Google?

[Mr. Dollar Ton]

This ain't simply a "google" issue, but a bright example of how "markets will self-regulate". Joker: they won't, not without a body that can draw regulations AND dispense "justice" in the form of sufficient extra costs so that it is more expensive to the user.

This is the main reason why I've not and I am not buying, installing or using "apps" that are just front-ends to network services, if I cannot use it behind a firewall, it isn't worth having.

It is also an example of how low the app hygiene of the "aver

I installed a firewall

[Snotnose]

and found out my flashlight app was calling home every 3-4 seconds. I hadn't used the app in months. Deleted it, installed a new one, things were good.

Uninstalled a couple other apps for the same reason. But the flashlight was the one that stuck in my head.

Unfortunately I had to uninstall the firewall app because it was draining my battery at a ridiculous rate. But I haven't installed an app since then so I think I'm good.

Seriously folks, if you run Android install a firewall app and be prepared to be shocked.

Re:

[Aighearach]

Well, if you were ever paying attention you wouldn't be shocked at all.

A flashlight app needs no permissions at all. None. No permissions. If you try to install a flashlight app and it asks for networking, don't install it.

It seems rather simple, actually. Does following that type of system cut down the available apps? Yes, drastically! It cuts it all the way down to the ones that only do what you want.

If you can't find any, try f-droid.

Re:

[iamwahoo2]

we need more app repositories like f-droid that cater toward users that are not getting what they need out of play store. I personally do not mind paying for my apps from a repository that gauranteed privacy. What is a few dollars in the grand scheme of things, but it is actually getting hard to find quality apps that will respect your privacy for a price.

Re: I installed a firewall

[astrofurter]

Try this one instead:

https://github.com/M66B/NetGua... [github.com]

It's open source (GPL) and appears to improve battery life on my Android, by blocking the incessant network chatter of many apps.

Say it isn't so

[JustAnotherOldGuy]

ME SO SHOCKED

Seriously- who thought these fuckers weren't breaking every rule and sucking up every bit of data they could?

The next big thing in data will be vehicular data- where you drive, when you dive, how fast, how often, etc etc etc. Everyone wants this data and many of the newer crop of cars collect LOTS of it, then beam it back to the manufacturer or one of their paid data collectors.

Do you think a Tesla isn't recording what the driver does when they take their foot off the brake or roll down a window? Of course they are.

Soon all the major car manufacturers will be collecting "driver data". It's a gold mine for them because advertisers will pay real money for the data.

Eventually you won't be able to drive past a Burger King without a 10% off coupon flashing on your in-car display, and they'll probably interrupt your music or radio to tell you about it. They already do it in malls.

You laugh now, but it's coming.

hey Google, get up and get to work

[FudRucker]

and purge google playstore of all these apps that violate the terms of service and violate people's privacy, and offer to purge people's phones, i would like to see apps just dissappear if they are violating my privacy, you better do it or my next phone will be a dumb phone like one of those nokia 3310,

By taking action...

[scdeimos]

We're constantly reviewing apps -- including those listed in the researcher's report -- and will take action when they do not comply with our policies.

By taking action they mean laughing maniacally at all the extra advertising revenue they're raking in.

Libraries

[Tomahawk]

Many apps use advertising libraries from other companies, and it's mainly these libraries that collect this data. The app writer may not even be aware of this, content in the fact that for a few lines of additional code they get ads in their so e, and thus revenue.

The question here is, are the app developers at fault here, or the advertising companies that provide the libraries?

Re:Libraries

[pushing-robot]

Google is at fault for allowing unfettered access to data that 99.999% of honest apps would never need.

If an app has a valid need for SIM card info, or any private, exploitable, or uniquely identifiable data for your device, it can bloody well ask for it.

Letting apps apparently work on the honor system, and not even policing apps in their own store, puts the blame squarely in Google's lap.

Re:

[hraponssi]

I wrote some simple games few years back, added the game development platforms libraries in it for ads. Because no-one wants to pay for anything anyway. Some year(s) later, got a message from Google they removed some of the app(s) due to some advertisement id violations. I did not care much since the games were not that great and had few downloads, so I let them take them down rather than start investigating and rewriting. I still have no idea what that was, just used the platform for what I though it was..

List of 18k apps?

[Freshly Exhumed]

Where the hell is the damned list of all ~18,000 apps? None of the given links provide this obviously necessary information.