Most Android devices come bundled with Android’s Advertising ID, which is something of an older piece of data collection software that could track a device’s Android ID, IMEI number, MAC address, and even the SIM card’s serial number.
While many Android users may not be aware that it exists, app developers and third parties are definitely aware – and they’re using that information in ways that people may not be happy about.
Android’s Advertising ID is away of controlling a ‘persistent identifier’, or something that identifies a user and their device, explains AppCensus.
Developers and third parties can use those persistent identifiers to profile users as part of behavioural tracking, where they show ads based on your behaviours and your interests.
Web browser cookies work in much the same manner – and you can easily clear those cookies. But with Android (and iOS) persistent identifiers, the process is much more difficult.
Android Advertising ID was supposed to limit ad tracking from persistent identifiers, but according to AppCensus and security firm Sophos, thousands of apps are ignoring Android’s privacy-preserving policies.
As of September 2018, AppCensus’ app database picked up 24,000 apps that transmitted a user’s advertising ID. 17,000 apps also transmitted an ad ID alongside other persistent identifiers.
This is in direct violation of Google Play Store’s policy, which states that, "The advertising identifier must not be connected to personally-identifiable information or associated with any persistent device identifier (for example: SSAID, MAC address, IMEI, etc.) without explicit consent of the user."
“Based on the data recipients of some of the most popular offenders, these are clearly being used for advertising purposes,” writes AppCensus.
In many cases, those apps have millions – if not billions of users. Some of the offending apps include:
Google has reportedly taken action against some of the violators.