Almost 18000 Android apps were detected to be violating Google’s Play Store Advertising IP policy guidance. These apps have hundreds of millions of installs in the Google Play Store.
These apps violate Google’s Advertising IP policy by collecting persistent device identifiers such as serial numbers, IMEI, WiFi MAC addresses, SIM card serial numbers. The apps collect persistence device identifiers and send the collected identifiers to advertising domains for ad targeting.
AppCensus in a report published on 14, February 2019, described the behavior of Ad IDs and stated that apart from Ad IDs, sending non-resettable identifiers is especially troublesome because it can effectively remove “the privacy-preserving properties of the ad ID.”
By highlighting this behavior, AppCensus described that users have the option to reset the ad ID, however, resetting ad ID will not immediately translate into getting a new identity because app developers can also use a multitude of other identifiers to continue their tracking.
Top 20 apps
AppCensus reported the top 20 Android apps by the number of installs in the Google Play Store that violate Google’s Ad ID policy.
The top 5 apps include,
The following 15 apps come completed the rest of the ‘top 20 list’ with 100 million installs each,
Tracking user engagements with ads
In September 2018 report, AppCensus listed 17000 Android apps that send persistent identifiers along with Ad IDs to various advertising domains. The report also holds a list of 30 advertising domains to which the persistent identifiers and AD IDs were sent.
AppCensus noted while analyzing the network packets sent between these Android apps and the 30 Ad domains that they are either being used to place ads in apps or track user engagement with ads.
“All of the domains receiving the data in the right-most column are either advertising networks or companies otherwise involved in tracking users’ interactions with ads (i.e., to use Google’s language, “any advertising purposes”). In fact, as of today, there are over 18k distinct apps transmitting the Ad ID alongside other persistent identifiers,” AppCensus report read.
Google and the app makers' statements
A spokesperson from Google informed that the company takes these issues very seriously.
“Combining Ad ID with device identifiers for the purpose of ads personalization is strictly forbidden. We're constantly reviewing apps -- including those listed in the researcher's report -- and will take action when they do not comply with our policies,” Google spokesperson told ZDNet.
Among the listed 20 Android apps, Angry Birds developer stated that it is conducting an investigation on the issue.
“We are still completing the full investigation on the matter, but we have not initially been able to find any persistent identifiers of our users being passed to said third parties,” A spokesperson for Rovio, the makers of Angry Birds said.
Cheetah Mobile, the developers of Clean Master said that it adheres to all relevant Google Play policies and GDPR requirements.
“The company endeavors to adhere to all relevant Google Play policies and GDPR requirements and we respect our users' privacy and are transparent with them regarding how we collect and use their data,” Cheetah Mobile said.
“Cheetah Mobile integrates third party's SDK such as AppsFlyer into its apps to track and validate the installation of Cheetah Mobile's own products. Cheetah Mobile does not perform ad monetization through the third party SDK. The business relationship between Cheetah Mobile and third-parties does not include any personalized advertising,” the company added.