These Android apps have been tracking you, even when you say stop
Exclusive: Advertisers are collecting info that can help them skirt an Android privacy feature, according to new research.
Laura HautalaFormer Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
ExpertiseE-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking.Credentials
2022 Eddie Award for a single article in consumer technology
The apps can track you by linking your Advertising ID -- a unique but resettable number used to tailor advertising -- with other identifiers on your phone that are difficult or impossible to change. Those IDs are the device's unique signatures: the MAC address, IMEI and Android ID. Less than a third of the apps that collect identifiers take only the Advertising ID, as recommended by Google's best practices for developers.
"Privacy disappears" when apps collect those persistent identifiers, said Serge Egelman, who led the research. He said his team, which reported the findings to
in September, observed most of the apps sending identifying information to advertising services, an apparent violation of Google's policies.
Watch this: Android apps by the thousands collect user data you can't erase
The company's policies allow developers to collect the identifiers but forbid them from combining the Advertising ID with hardware IDs without explicit consent of the user, or from using the identifiers that can't be reset, to target ads. What's more, Google's best practices for developers recommend collecting only the Advertising ID.
The behavior fits into the tech industry's long history of creating privacy measures that websites and app developers quickly learn to bypass.
, for instance, was forced to address Flash cookies in 2011 after complaints that the snippets of software could survive in your web browser even after you cleared all your cookies. Similar complaints arose in 2014 over Verizon's and AT&T's use of so-called "supercookies," which tracked users across multiple devices and couldn't be cleared. In 2012,
accused Google of circumventing its P3P web privacy standard, which let users of the Internet Explorer browser set their preferences for cookies. (Google countered that the standard wasn't useful anymore).
Egelman's team, which previously found around 6,000 children's apps improperly collecting data, said Thursday that big-name apps for adults are sending permanent identifiers to advertising services. The apps included included Angry Birds Classic, the popular smartphone game, as well as Audiobooks by Audible and Flipboard. Clean Master, Battery Doctor and Cheetah Keyboard, all utilities developed by Cheetah Mobile, were also found to send permanent info to advertising networks.
All of these apps have been installed on at least 100 million devices. Clean Master, a phone utility that includes antivirus and phone optimization services, has been installed on 1 billion devices.
What Google's doing about it
Google said it had investigated Egelman's report and taken action on some apps. It declined to say how many apps it acted on or what action was taken, or to identify which of its policies the apps had violated. The company said its policies allow for the collection of hardware identifiers and the Android ID for some purposes, like fraud detection, but not for the targeting of ads.
Google also said it can enforce its policies only when Android apps send the identifiers to Google's own ad networks, such as AdMob. If the apps send the data to outside networks, Google says it can't monitor them for violations.
"We take these issues very seriously," a Google spokesperson said in a statement. "Combining Ad ID with device identifiers for the purpose of ads personalization is strictly forbidden. We're constantly reviewing apps -- including those listed in the researcher's report -- and will take action when they do not comply with our policies."
Representatives of Rovio, which develops the Angry Birds series, and of Audible, didn't respond to requests for comment.
A Cheetah Mobile spokesman said in an email that its apps send a device's Android ID to a company that helps it track installations of its products. The information isn't used for targeted ads, and the company complies with all relevant Google policies and laws, the spokesman said.
He added that the version of Battery Doctor tested by the researchers was out of date; Cheetah Mobile updated the app in 2018 to no longer collect the IMEI.
Flipboard said it doesn't use the Android ID for ad targeting.
Egelman's team tested the apps as they ran on Android 6, also known as Marshmallow. Just over half of all Android devices run Android 6 or an earlier version of the system, according to a Google analysis from October. The researchers configured a version of Android that let them track which identifiers an app collected and then ran thousands of apps on the modified software.
Egelman said that changing your Advertising ID should serve the same function as clearing out your web browsing data. When you clear cookies, websites you visited in the past won't recognize you. That stops them from building up data about you over time.
But you can't reset other identifiers, like the MAC address and IMEI. The MAC address is a unique identifier that your device broadcasts to internet connections like Wi-Fi routers. The IMEI is an identifier for your specific device. Both identifiers can sometimes be used to prevent stolen phones from accessing a cellular network. The Android ID is another identifier that's unique to each device. It can be reset, but only if you run a factory reset of your device.
If apps send ad networks any of those identifiers, it won't matter how many times you reset your advertising ID. They can still tell it's you.
Sandy Bilus, a privacy and cybersecurity lawyer at Saul Ewing Arnstein & Lehr, said the apps might be in violation of the General Data Protection Regulation, a European Union law that requires organizations to tell users what data they collect on them, if they haven't spelled out what they're collecting to EU users.
"It certainly could raise GDPR issues," Bilus said. "The app developers who are collecting and using this data should be careful about that."
Lorrie Faith Cranor, director of the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University, said that Google is in the best position to crack down on apps that use hardware identifiers and the Android ID in ways that violate its own policies.
The fact that developers are creating workarounds to the Advertising ID suggests that many people are resetting the identifier, Cranor said, even if most users are unaware of the privacy feature.
"Otherwise," she said, "why would they bother?"
First published at 5:00 a.m. PT. Updated at 7:34 a.m. PT: Added more details about Cheetah's apps.