18,000 Android apps with tens or hundreds of millions of installs on the Google Play Store have been found to violate Google's Play Store Advertising ID policy guidance by collecting persistent device identifiers such as serial numbers, IMEI, WiFi MAC addresses, SIM card serial numbers, and sending them to mobile advertising related domains alongside ad IDs.

The issue here is that, while some of the companies behind these apps will most probably say that they're not actually using persistent device identifiers for ad targeting, they are still violating the Google Play Store Advertising ID policy guidance.

Sending non-resettable identifiers besides the ad ID is especially worrisome considering that it effectively removes "the privacy-preserving properties of the ad ID" as explained in a report published by AppCensus.

To further illustrate why this is an issue, Appcensus' Serge Egelman says that "in 2017, it was major news that Uber’s app had violated iOS App Store privacy guidelines by collecting non-resettable persistent identifiers. Tim Cook personally threatened to have the Uber app removed from the store."

18k apps transmit the ad ID alongside persistent identifiers

AppCensus is an organization based in Berkeley, California, and created by researchers from all over the world with expertize in a wide range of fields, ranging from networking and privacy to security and usability. The project is supported by "grants from the National Science Foundation, the Department of Homeland Security, and the Data Transparency Lab."

By highlighting this behavior, AppCensus shows that while users are being offered the option to reset the advertising ID, doing so will not immediately translate into getting a new "identity" because app developers can also use a multitude of other identifiers to keep their tracking and targeting going.

Advertising ID reset option on iOS and Android

Below you can find the top 20 most popular applications by the number of installs in the Google Play Store found to violate Google's Usage of Android Advertising ID policies according to Egelman:

As detailed by Egelman:

All of the domains receiving the data in the right-most column are either advertising networks, or companies otherwise involved in tracking users’ interactions with ads (i.e., to use Google’s language, “any advertising purposes”). In fact, as of today, there are over 18k distinct apps transmitting the Ad ID alongside other persistent identifiers.

Google did not yet respond to a report sent by AppCensus in September 2018 containing a list of 17,000 Android apps that send persistent identifiers together with ad IDs to various advertising networks, also attaching a list of 30 recipient mobile advertising related domains where the various IDs were being sent.

While looking at the network packets sent between the apps and these 30 domains, AppCensus observed that "they are either being used to place ads in apps, or track user engagement with ads."

Google Play Store Advertising ID policy guidance

Google needs more focus on privacy

However, in a statement sent to CNET, a Google spokesperson said that "We take these issues very seriously. Combining Ad ID with device identifiers for the purpose of ads personalization is strictly forbidden. We're constantly reviewing apps -- including those listed in the researcher's report -- and will take action when they do not comply with our policies." [emphasis added]

Additionally, as revealed by Google in its 2018 Google Play Store yearly review, the company rejected 55% more Android app submissions than it did in 2017, and it also increased the app suspension rate by approximately 66 percent year-over-year.

Although Google also said in the yearly review that during 2018 they "rejected or removed tens of thousands of apps that weren't in compliance with Play's policies related to user data and privacy," it seems that a few other thousands of apps might have trickled in into the Google Play Store.