Some 17,000 Android apps violate Google's privacy policies by transmitting permanent device identifiers to ad networks along with temporary "Ad IDs," a new study finds.
Researchers from the International Computer Science Institute (ICSI) examined 24,000 Android apps and found that fully 70 percent were breaking the rules by sending out permanent IDs that ad networks can then use to track your movements and usage of other apps. The researchers said they'd notified Google of the policy violations five months ago, but hadn't received a reply.
"Google is providing users with privacy controls," wrote the ICSI's Serge Egelman in a blog posting, "but those privacy controls don't actually do anything."
Unfortunately, until Google decides to do something about this (or a powerful government forces it to), there's no easy solution for the end user. We suggest going to the ICSI's AppCensus website and searching for each and every app on your phone, starting with the free games. You'll get a report of what each app transmits and where it goes, and can then make the decision about whether or not to keep the app installed.
How Ad IDs work
The ads in both Android and iOS apps are supposed to identify the devices the ads run on with temporary identifiers known as Ad IDs (Google) or Advertising Identifier (Apple). These IDs don't actually expire until the user decides to reset them, but at least the user has that option. (On Android, it's Settings > Google > Ads > Reset advertising ID. On iOS, it's Settings > Privacy > Advertising > Reset Advertising Identifier.)
Both Apple and Google specify that that's the only kind of identifier the app can transmit to ad networks. The apps are not supposed to send ad networks the serial numbers of the device or the SIM card, the International Mobile Equipment Identity (IMEI) number, the local network address or the Google account ID.
The apps are allowed to "fingerprint" the devices by taking down the exact OS build, amount of RAM, amount of storage, network carrier and even some or all of the installed apps, but that's not quite an ID. (It's enough information to track the physical location of specific Android devices solely through ads, however.)
And how Android apps break the rules
Yet 17,000 of the 24,000 apps the ICSI examined transmitted another ID beside the permitted Ad ID. In most cases, it was the "Android ID," which is, as the ICSI explains, "a random serial number that is created when you first configure your phone." The only way to reset the Android ID is by factory-wiping your device.
For example, Angry Birds Classic sends the Ad ID (good), the device fingerprint (not great, but acceptable) and the Android ID (bad) to four different ad networks, although none of the four ad networks get all the identifiers. Cut the Rope Full Free sends the same three identifiers to a total of 12 ad networks.
It's not such a surprise that ad-supported free games try to bend or break the rules to get a little extra cash. But it was surprising that some Android antivirus and security apps were among the rule breakers.
In Lookout's case, the data went to analytics and diagnostics servers instead of ad networks, so there could be good reasons for that. But CM Security Master sent all three identifiers to an ad network, and, even worse, sent the Android ID in unencrypted format to an Amazon-hosted cloud server.
Psafe DFNDR, another antivirus app we've reviewed, was much naughtier. It transmitted not only Android IDs, Ad IDs and device fingerprints, but also the phone's IMEI, location and the name of the Wi-Fi network a phone might be using to nearly 30 different ad networks and other destinations, often in plaintext formats that anyone intercepting the transmissions could read. It also sent the device serial number to its own servers, which arguably could be to support an antitheft feature in the app.
Avast Mobile Security, long one of our favorites, transmitted Ad IDs, device fingerprints and device locations to six different ad networks, sometimes unencrypted. It sent Android IDs and device serial numbers only to its own servers, possibly for antitheft purposes.
Avast's corporate sibling AVG AntiVirus for Android was better behaved. It skipped the device location and sent the Android ID and device serial number only to its own servers in encrypted format. It did send the Ad ID and device fingerprint to a couple of ad networks, but in encrypted form.
Still, an Android antivirus app doesn't need to get your Android ID or device serial number to have antitheft features. Kaspersky Mobile Antivirus does have antitheft, but doesn't collect any kind of device identifier, not even Ad ID, according to ICSI's survey.