Android Identifiers

marcdw · July 9, 2021, 10:30am

At the time I installed one of my older ROM installations, Bootleggers Oreo on Moto G5s PLUS with microG, I was more concerned with not having GApps than with security or privacy. It has Play Store and various apps I otherwise wouldn’t install today. One of those is Instagram (Barinsta, formerly Instagrabber is now used elsewhere). It doesn’t get updated much as I kept it inline with the XInsta Xposed module. Currently on version 155.
I recently realized that Instagram (at least v155) has no trackers but it does have an SSAID. Described thusly in App Manager…

SSAID (Settings_Secure_ANDROID_ID) is a device identifier assigned to each app (from Android Oreo). It is widely used by apps to track users.

Not sure how true that last statement is so I went searching. There’s quite a bit out there and I’m unsure if SSAID is a bad thing or not. Don’t know if there’s a way to sort apps in App Manager by SSAID so I had to check a few apps to see which had it (Play Store and XDA Developers are two). But then again, AdAway also has an SSAID and it’s not from the Play Store, obviously.

Regardless, my searches led me to an informative little article from IzzyOnDroid (probably the most popular third-party repo for F-Droid and a must-have in my opinion). A basic overview of Android Identifiers and a good starting point for learning more.

Android Identifiers: How Android devices and their users are identified

The article, btw, was last updated 2017. Quite old but still a nice overview.

EDIT: In the past I used to use an app called Paranoid for Android (Play/Aurora Store and /e/ Apps) for checking permissions. It would show permissions that apps used that wasn’t totally clear via Android’s settings. CyanogenMod’s/Lineage’s Privacy Guard (and whatever it’s called today - something under Trust) would show quite a bit of extra permissions used not readily apparent in AppInfo. For AOSP-based ROMs Paranoid was useful/helpful but it hasn’t been updated since January 2020. Used it to find what didn’t seem right and control permissions via Privacy Guard or AppOps. Today, apps like App Manager (via its App Ops tab) or LOS’ Privacy Guard (to a lesser degree) can disable permissions above and beyond the broad-based toggles in AppInfo.

Side note on F-Droid repos. In other threads there was mention of Firefox and Brave not available from F-Droid. That’s true when referring to the main F-Droid repo. Other repos can be added to get easy and regular access to various other apps. IzzyOnDroid (mostly straight from GitHub), “Firefox” (stable, nightlies, Focus/Klar, Signal, etc), Guardian (Tor Browser), microG, NanoDroid, Molly (Signal forks), NewPipe, Collabora Office, DivestOS (Mull browser - hardened Firefox/Fenix, GMaps WV, etc.), Bromite, and others.
Add what you need and take full advantage of the F-Droid or F-Droid Classic app. Obviously you wouldn’t enable the microG repo on /e/OS but you get the idea.

Second Wind repo is interesting. Apps that are useful when you are offline. Check their website.

F-Droid Known Repositories

egx470 · July 9, 2021, 1:11pm

The repo pointers/link & IDs are helpful. Thank you!

nottolino · July 9, 2021, 1:49pm

Your posts and links are always worth reading, @marcdw. Thanks.

May I ask if you have something similar on the apple side ?

Taurus · July 9, 2021, 1:55pm

I think you can assume that if Facebook/Instagram make use of it, then it is a bad thing.

tcecyk · July 10, 2021, 12:57pm

as Izzy writes, “Starting with Android 8 (Oreo), this ID stops to be global: each app will get its own SSAID, which should limit tracking across apps.” - but Apps signed with the same developer keys get the same SSAID, so companies with multiple Apps can relate cross-App per User, but making it non-global defused marketplace cross tracking.

Btw, it seems I can reset it easily (sticks on reboot), but then this could be the ID presented to the Settings App only. After all, I think microG is generating random identifiers where it can (have to look for the doc link).

I skimmed the 2021 Dough Leith Paper for Android ID, in Stock Android this is phoning home - as quoted from Page 10 within “VII. Connections when interacting with Settings App - B. Google Android”

When the Settings app is opened and a user navigates amongst the various options the following network connections are observed:

The helprtc process makes connections to firebaseinstallations.googleapis.com and android.clients.google.com. These send the FirebaseId and the device Android Id.

A connection is made to pagead2.googlesyndication.com that appears to send identifiers

Telemetry is sent to www.google.com. This is tagged with the device Android Id, the phone IMEI and includes mobile carrier details as well as information on the radio signal strength, battery level, volume settings, number of handset reboots, whether the phone is rooted.

That said about the system (what /e/ will or already did something about, like microG generating identifiers) - App developers have myriad of ways to create bits of device information from higher level API access, see the ideas in https://stackoverflow.com/questions/2785485/is-there-a-unique-android-device-id … one doesn’t need much to fingerprint a device, similar to Browsers as in https://coveryourtracks.eff.org/

system · August 8, 2021, 8:30pm

This topic was automatically closed after 30 days. New replies are no longer allowed.