Last week, our team launched Fingerprint Android, an open-source library for accurately identifying Android devices using all available signals.
In this article, we explain some of the current challenges of Android device identification, and how device fingerprinting can be a stable and reliable alternative to system-generated identifiers like ANDROID_ID that are likely to be discontinued in the future.
Device identification is an essential part of a mobile developer’s toolkit for detecting and preventing fraud.
An accurate and persistent device ID can flag users that are most likely to commit fraud, and mitigate fraudulent attempts by incorporating authentication flows or blocking users based on their usage history. From download to login to payment, the number of ways a malicious actor can commit fraud is ever increasing, and depending on your application, the most lucrative forms of fraud will vary.
Android developers had it easy in the past, with access to several system-provided identifiers including hardware signals and the system-generated Android ID (or SSAID). However, many of these signals are now unavailable to app developers, with more expected to be removed, restricted, or require opt-in permissions from users in coming updates. Additionally, remaining methods of identification including SSAID are easy for dedicated fraudsters to spoof, providing little protection against sophisticated fraud attacks.
There have historically been three main ways to identify a device in Android without the use of device fingerprinting.
All of these methods share a common theme: they are ineffective for some use cases today, or are likely to be discontinued in the near future. Android developers need to find alternative ways to uniquely identify users before these options are no longer available.
Android used to provide access to hardware identifiers such as MAC address, IMEI, and others. But due to privacy changes for Android 10, access has been restricted. Now every app that needs to use these identifiers must go through an onerous review process for the Play Market.
Pros and Cons:
This method works like cookies in a browser, in that a unique ID is generated and stored on the Android device. But, as with cookies, this file can be cleared by the user, in this case by uninstalling the app.
Pros and Cons:
Android provides a few IDs for advertisement or fraud prevention cases.
Pros and Cons:
Fingerprinting techniques have already become an essential tool for identifying devices. Our open source browser fingerprinting library has over 12K stars on Github and is used by 8,000+ websites. Fingerprinting techniques on their own have been found to be over 90% accurate in correctly identifying a unique user in the browser, and when combined with usage history, fuzzy matching, and probability engines, this accuracy can be further improved.
One of the main advantages of device fingerprinting is that it is stateless. A well-implemented fingerprint can remain stable through multiple sessions, incognito browsing, uninstalling or reinstalling apps, or clearing cookies.
While browser fingerprinting has approached ubiquity in recent years, the best kept secret in fingerprinting technology is its potential for applications beyond the browser. Mobile device fingerprinting allows app developers to identify users applying more sources of entropy than is available inside the browser. Some of the sources that can be used are:
A combination of these signals is unique for the vast majority of devices, and can be used for device identification. Most importantly, it is much harder to circumvent, as it is difficult to spoof all of the available signals. Because of this, fingerprinting is a good option for fraud detection applications.
Pros and Cons:
The Fingerprint Android library combines all the techniques mentioned above to provide two stable and unique identifiers.
The first identifier provided is the DeviceID, which relies on GSF ID and ANDROID ID. They are stable but it is possible to spoof them with the Xposed framework (as mentioned above).
For instances where you want to mitigate the risk of users spoofing their DeviceID, the library also generates a Device Fingerprint. Our fingerprinting process collects over 50 platform signals and calculates a unique hash for each user. You can easily see all the signals that are collected and the resulting Device Fingerprint in our playground app.
The library aims to generate a Device Fingerprint with the best balance of stability and uniqueness. As such, the default Device Fingerprint hash omits installed application signals. Application signals are not stable because users can install or uninstall applications. But these signals are useful when you need a highly unique fingerprint, as users rarely have the same set of installed applications.
Hardware signals, on the other hand, remain the same even after a factory reset and so are highly stable and contribute to an incremental increase in uniqueness. As such, we include hardware signals in our recommended Device Fingerprint configuration.
The advantage of using our Android Fingerprint library is that the stability and uniqueness of the recommended DeviceID will be further improved over time by our team and the open-source community. However, the library is built to be flexible, and allows developers to change the platform signals manually if there is a need.
The process of device identification is already complicated, and will likely become much more complicated in the future, as happened with iOS and IFDA, Apple’s advertising identifier.
To apply IFDA as an identifier, the user now has to provide explicit opt-in permissions to be tracked for advertising purposes. This is a common trend for increasing user’s privacy across many platforms, but it makes fraud prevention with these identifiers unreliable. Our library does not require any additional permissions, and will be kept up-to-date with Android’s policies to guarantee that users can be identified with a high degree of accuracy as rules change.
Our Android Fingerprint library provides a stable Device Fingerprint that is generated using all available platform signals. Using the library is a way for developers to consistently get a reliable device ID regardless of accessibility and stability changes over time.
The library is fully written in Kotlin – a modern and safe language that helps to make sure the library does not crash. It also does not require any transitive dependencies (except kotlin-stdlib for Java-only projects). The integration needs only a few lines to add the dependency. It provides convenient forward and backward compatibility without unexpected fingerprint changes during updates.
We are excited to see what the open source community will build with our Android Fingerprint library.
Signals generated by the use of an ad blocker can improve browser fingerprinting accuracy. This novel browser fingerprinting method, while oft-discussed as a theoretical source of entropy, has only just been added to FingerprintJS as of April 2021.