Thousands of Android apps are tracking users through MAC address or Android ID
And they continue tracking users even when asked to stop
Thousands of Android apps are creating a permanent record of users' smartphone activity and sharing it with advertisers, a new study by researchers from the International Computer Science Institute has revealed.
Researchers say there are about 17,000 such apps, violating Google's policies on what kind of user activities can be tracked and shared with advertisers. Some of these apps even track user activities even when they explictly ask the app to stop doing so.
The apps in question include some popular apps like Angry Birds Classic, Clean Master, news aggregator Flipboard, and the Audiobooks app from Amazon-owned Audible.
Persistent identifiers are the bread and butter of the online tracking industry. They allow companies to learn the websites that you visit and the apps that you use
Researchers found that these apps track user activities by reading advertising IDs - the unique number assigned to each smartphone to personalise ads. Then, they link the advertising ID with other, more permanent, device identifiers, such as MAC address, Android ID or IMEI number.
While smartphone users can easily reset their smartphone's advertising ID by clearing cookies, it is difficult or impossible to reset or turn off the permanent identifier of a smartphone.
"Persistent identifiers are the bread and butter of the online tracking industry. They allow companies to learn the websites that you visit and the apps that you use, including what you do within those apps," the researchers wrote in their paper.
Google's best practices for developers recommend that they can collect only Advertising IDs of the smartphone, however, findings of the new research show that only a third of the apps that "collect identifiers take only the Advertising ID."
This means other two-thirds of the apps are collecting all types of unique identifiers assigned to a phone.
The findings of the research were reported to Google in September, according to Serge Egelman, who led the research.
The online advertising giant said it had already started taking action on some apps, although it declined to reveal the names of those apps or the action taken.
The company said that it enables app developers to collect the Android ID and hardware identifiers for some specific purposes, such as fraud detection, but not for the targeting of advertisements.
"We take these issues very seriously," a Google spokesperson told CNET.
"Combining Ad ID with device identifiers for the purpose of ads personalisation is strictly forbidden. We're constantly reviewing apps - including those listed in the researcher's report - and will take action when they do not comply with our policies."