18,000 Android apps track users by violating ad ID rules


18,000 Android apps track users by violating ad ID rules

It has been found that 18,000 Android apps with dozens, if not hundreds of millions of installations on the Google Play Store violated Google's Advertising ID rules of the Play Store by collecting login IDs. Persistent devices such as serial numbers, IMEI, WiFi MAC addresses, serial numbers of SIM cards and others. by sending them to domains related to mobile advertising alongside ad ID.

The problem here is that even though some of the companies behind these apps will most likely claim that they do not use persistent device identifiers for ad targeting, they still do not follow the Google Play Store policy guidelines for ad ID.

The sending of non-resettable identifiers in addition to the ad identifier is particularly worrisome because it effectively removes "the properties of the ad's identifier preserving confidentiality ", as explained in a report published by AppCensus.

To further illustrate why there is a problem, Serge Egelman of Appcensus said that "in 2017, the application of Uber had violated the guidelines of Privacy of the iOS App Store by collecting persistent non-resettable identifiers Tim Cook personally threatened to have the Uber app removed from the store. "

18k applications transmit ad ID with persistent IDs

AppCensus is an organization based in Berkeley, California, created by researchers from around the world specializing in a wide range of fields, from networking and confidentiality to security and usability. The project is funded by "grants from the National Science Foundation, the Department of Homeland Security and the Data Transparency Lab".

By highlighting this behavior, AppCensus shows that if users have the option to reset the ad ID, this will not immediately result in the obtaining of a new "identity" because the Application developers can also use a multitude of other identifiers to keep track of them and targeting them to go.

Option to reset the advertising ID on iOS and Android
Option to reset advertising ID on iOS and Android

Below you will find the top 20 most popular apps according to the number of installations in the Google Play Store that violate the Google's Android Advertising IDs usage rules, according to Egelman:

As detailed by Egelman:

All domains receiving the data in the far right column are advertising networks or companies involved in tracking user interactions with ads (ie, to use Google's language, "to advertising purposes "). In fact, to date, more than 18,000 separate apps are passing the ad ID alongside other persistent IDs.

Google has not yet responded to a report sent by AppCensus in September 2018 containing a list of 17,000 Android apps that send persistent IDs with ad IDs to different ad networks, also attaching a list domains related to mobile advertising for 30 recipients. be sent.

By examining network packets sent between applications and these 30 domains, AppCensus observed that "they are used to place ads in apps or to track users' engagement with ads."

Google Play Store ad ID policy guidelines
Google Play Store Ad ID policy rules

Google needs to put more emphasis on privacy

However, in a statement sent to CNET, a Google spokesman said, "We take these issues very seriously. It is strictly prohibited to combine ad IDs with device IDs for the purpose of ad customization.. We continually review applications, including those listed in the researcher's report, and take action when they do not comply with our policies. " [emphasis added]

In addition, as Google states in its 2018 annual report on the Google Play Store, the company has rejected 55% of Android app submissions by more than in 2017, and has also increased the rate suspension applications of about 66% compared with the previous year.

Although Google also stated in its annual report that in 2018, they "had rejected or removed tens of thousands of apps that did not comply with Play's rules regarding user data and privacy ", it seems that a few thousand other apps have probably leaked into the Google Play Store.

Source link