Thousands of Android apps permanently record your online activity for ad targeting

Updated: Your unique ID is being connected to devices to create an immutable record even when you ask for your history to be forgotten.
Written by Charlie Osborne, Contributing Writer

At least 17,000 Android applications are creating permanent records of your online activity for advertising purposes even when you ask for such information to be forgotten.

New research published by the International Computer Science Institute in California suggests that these apps are using your Advertising ID, alongside persistent identifiers which can be used for the purposes of ad personalization and targeting, in order to create fixed records of past and present user online activity without user consent.

As reported by sister site CNET, it appears that these mobile applications are violating Google's policies on user tracking and advert monetization.

Google requires that developers and advertisers do not connect Advertising IDs to personally-identifiable information or device information including Android ID, IMEIs, SSAIDs, or MAC addresses. 

In addition, Google stipulates that users who choose to opt out of ad personalization must be respected. However, according to the institute, developers are ignoring these rules en masse.

International Computer Science Institute

See also: Opening this image file grants hackers access to your Android phone

In total, roughly 17,000 Android applications are not only transmitting Advertising IDs, but other persistent identifiers. These elements, together, create a record of online activity which can be used to permanently connect an individual, their device, and online activity.

As a result, even should users reset their advertising preferences, the record will hold and their wishes will be ignored.

CNET: Facebook, FTC reportedly negotiating massive fine to settle privacy issues

The report lists 20 popular applications which appear to be violating Google policies, all of which have been downloaded over 100 million times -- and some have passed the billion download mark. 

These apps allegedly include Clean Master -- which has been downloaded over one billion times -- Angry Birds Classic, Audible, and Subway Surfers.

Flipboard was also listed, but the app developers responsible for the app told CNET the company does not use the Android ID for ad targeting.

"The problem with all of this is that Google is providing users with privacy controls but those privacy controls don't actually do anything because they only control the ad ID, and we've shown that in the vast majority of cases, other persistent identifiers are being collected by apps in addition to the ad ID," the researchers say.

TechRepublic: How to create a hidden admin account in macOS

The institute has reported the apps in question and has asked Google whether or not this emerging privacy issue is going to be tackled, but is yet to receive a response. Speaking to CNET, however, the tech giant said that action would be taken on "some" apps.

"We take these issues very seriously," a Google spokesperson told ZDNet. "Combining Ad ID with device identifiers for the purpose of ads personalization is strictly forbidden. We're constantly reviewing apps -- including those listed in the researcher's report -- and will take action when they do not comply with our policies."

Update 15.23 GMT: A spokesperson for Rovio, the makers of Angry Birds, said, "we are still completing the full investigation on the matter, but we have not initially been able to find any persistent identifiers of our users being passed to said third parties."

Cheetah Mobile, the developers of Clean Master, said the company "endeavors to adhere to all relevant Google Play policies and GDPR requirements," and "we respect our users' privacy, and are transparent with them regarding how we collect and use their data." 

The firm added:

"Cheetah Mobile integrates third party's SDK such as AppsFlyer into its apps to track and validate the installation of Cheetah Mobile's own products. Cheetah Mobile does not perform ad monetization through the third party SDK. The business relationship between Cheetah Mobile and third-parties does not include any personalized advertising."

ZDNet has reached out to the developers of applications mentioned in the report and will update if we hear back.

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Editorial standards