Android apps that spy on your devices

We have already talked about the mechanisms of advertising on the Internet and the tricks that use advertising networks to know the websites you visit . But your online life goes far beyond these sites. It is very likely that you spend a good part of your time on mobile apps and they also earn thanks to advertising; just like sites, apps also collaborate with ad networks.

To allow advertisers to get a detailed dossier about you in order to offer you personalized ads, the applications provide them with information on your device, even the information that Google prevents them from using.

What information can facilitate the tracking of your Android device?
What do applications to ad networks say about you? First of all, they are installed on your device. When the advertising network receives this information from various applications, it is able to find out your interests and therefore what are the types of ads that most attract you. For example, if you take a lot of selfies and you have Instagram and Snapchat installed on your phone, you could appreciate apps for filters and effects for photos.

Ad networks use device identification systems to accurately recognize the device on which apps are running. Every Android smartphone or tablet has various identifiers and most of them have not been created to help advertisers.

For example, unique IMEI codes help identify phones on the cellular network or to lock devices in the event of theft . A serial number can help you find all devices in the same batch that have defects, to withdraw them from the market. A MAC address, another unique identifier, allows connection to the network and in particular it can be useful to limit the list of devices authorized to connect to your home Wi-Fi network. Finally, mobile application developers use Android IDs (SSAID aliases) to manage the licenses of their products.

For a long time there was no type of advertising identifier, so applications used to share these identifiers with their partners. In this way users had no way to escape personalized ads: IMEI or MAC are unique codes that allow direct identification of any device. Whenever an ad network receives one, the network understands that the application has been installed on your phone.

In theory, these codes are modifiable (there are applications for this too) but it is not so easy and, even worse, it is an operation that can be risky for your phone. Root permissions are required for experiments of this type, and rooting makes the device vulnerable. Furthermore, manipulations such as the modification of the IMEI are illegal in some countries.

It is easier to change the Android ID: you just need to reset the phone or tablet to the factory settings. But once this is done, you will have to set everything up again, reinstall all your applications and log in to each one again. In short, it’s a nuisance, that’s why it’s not done so often.

Advertising ID: Theory
In 2013, Google presented an advertising ID to reach a compromise between Android users and the advertising industry. Google Play services assign the ID and users can restore it and create a new one if necessary, by going to Settings → Google → Ads → Reset advertising ID . On the one hand, the identifier allows ad networks to track the habits and hobbies of device users. On the other hand, if you don’t like the idea of ​​being spied on by advertisers, you can easily reset the ID at any time.

The Google Play store rules stipulate that advertisers may only use the advertising ID and nothing else for advertising purposes. The platform does not prohibit linking this ID to other identifiers, but Google Play applications need users’ consent.

The idea is that if personalized ads don’t bother you, you can leave the advertising ID as it is and you can also decide to authorize applications to connect it to any other system. On the contrary, however, you can prohibit the connection of this ID to other identifiers and reset the ID from time to time, thus disconnecting your device from the dossier previously collected. Unfortunately, the reality is another.

Advertising ID: reality
According to researcher Serge Egelman, over 70% of Google Play applications use at least one extra identifier without notifying it. Some of them, such as 3D Bowling , Clean Master and CamScanner, have been downloaded by millions of people.

Most of them use the Android ID, but IMEI, MAC addresses and serial numbers are also useful. Some applications send three or more identifiers to partner networks simultaneously. For example, the 3D Bowling game uses the advertising ID, the IMEI code and the IDAndroid.

Such practices make the idea of ​​advertising ID useless. Even if you try to prevent being spied on and continue to reset your advertising ID, the advertising network will use other more persistent identifiers to create another ID for your profile.

A malicious Android app has been downloaded over 100 million times from Google Play

Even if this behavior goes against the rules of Google Play, it is not easy to track down applications that take advantage of IDs. Google checks all applications before the release, but many not quite honest authors have found alternative methods and create malicious applications . Even the miner found ways to sneak in the store , so it’s no surprise that apps that seem to have no harmful characteristics sometimes go unnoticed.

Google cannot deny access to device identifiers to these applications, since they serve much more than just advertising. For example, by denying mobile apps access to the Android ID , Google would prevent app developers from protecting their products from piracy, thereby violating their rights.

Combat annoying ads
Of course, Google has introduced measures to limit the misuse of IDs. Thus, starting with Android Oreo, each application will have its own Android ID . Thus, for ad networks that rely on this ID instead of the ad ID, your Instagram will appear to be installed on one device and your Snapchat on another, thus making this data useless for accurate targeting.

However, IMEIs, serial numbers and MAC addresses cannot receive this type of protection, and the market is full of smartphones and tablets that use previous versions of Android and will never be updated to Android Oreo. We therefore recommend limiting data collection through application management.

Eliminate applications you no longer use. The fewer applications installed, the less data is collected by the ad networks;
Do not grant unnecessary permissions to the applications you wish to keep. This precaution will not completely prevent them from spying on you, but at least it will prevent applications from indiscriminately granting your IMEI code. In this case, I am accessing the IMEI code is set with a telephone authorization . Thanks to this same authorization, applications can know your phone number, see your calls, make calls (at your expense of course) and much more, so we advise you not to activate it.

Add a Comment

Your email address will not be published. Required fields are marked *

error: Content is protected !!