YES. Let’s imagine the following scenario:
Mr. Wang searched Nike shoes in the morning and soon found that whether it was Tiktok, Twitter or FB, there were all kinds of an ad for sneakers.
Miss Liu found that her shampoo was running out. She was planning to buy one. She found that Amazon’s shampoo ad had been pushed to her mobile phone.
Why can advertisers always carry out the accurate delivery of advertisements?
Here we need “big data” to analyze. Every behavior operation, browsing record, concerned content, app and other information we use on the Internet is recorded, and users are depicted according to different behavior weights. When enough data is collected, we can depict a user’s portrait characteristics, such as their gender, age, sexual orientation, marriage, education level, interests, where to live, and wealth Production status and so on. Finally, users are classified to achieve the goal of prediction and accurate push.
What’s puzzling is that the account I registered with Amazon is 123456, the account I registered with TikTok is 654321, and the account I registered with Facebook is 142536. How can businesses accurately locate which is me in different software or behavior operations?
Here, we need to make a mark for each user, a unique device identifier (UDID). Although users will register different accounts on different software, for most users, mobile devices are not often replaced. As long as you can tag your mobile phone, Amazon will not only know your data behavior when shopping but also know your social behavior, game behavior, entertainment behavior and so on. Of course, the same is true for other companies.
So how do advertisers uniquely identify devices?
In general, there are three device IDs commonly used for Android devices:
1. Device ID: it can be obtained by the TelephonyManager service provided by the system and is unique. This includes IMEI and MEID / ESN.
2. IMEI: international mobile device identification code, which is commonly referred to as “mobile phone serial number”. It is used to identify each independent mobile phone and other mobile communication devices in the mobile phone network, which is equivalent to the mobile phone ID card. It is marked on the motherboard and cannot be changed unless the mobile phone (motherboard) is replaced. Android systems above 6.0 require users to grant “read_phone_state” permission, which (in theory) cannot be obtained if users refuse.
3. MAC address: local area network address, including WiFi Mac and Bluetooth Mac, which is used to confirm the location of network devices. The location information of the user can be obtained.
In fact, since Android 6.0, Google has paid attention to “the abuse of user privacy”, and added the corresponding “permissions management system” to help users manage personal privacy. So now we can find some newly installed apps that will apply for some permissions when they are started. Users can choose to allow or deny.
But! Google has played a shabby insidious trick on here!! When a user refuses certain permission, the system will tell the app that “this user refuses you”.
For canonical apps, rejection is okay. But for some rogue apps, they will tell you: if you refuse my request, I will not let you use it! Unfortunately, some national applications in mainland China, such as Wechat, rely on their monopoly status to do so.
If you tap”cancel”, it will be forced to exit
Technically, Google can return them a bunch of useless data when users refuse. Google didn’t do this, not because it didn’t know or had technical barriers, but because it did it on purpose! After all, Google itself is the world’s largest advertising company!!
When a user grants the app TelephonyManager permission, it will not only allow the app to record the unique hardware information such as IMEI but also allow the user’s mobile number to be recorded. Even if the user changes a mobile phone in a few years, as long as they don’t change the number, they still can’t get rid of the tracking by advertisers.
Some users with strong hands-on abilities may limit the app through appops, root and other methods. However, the vast majority of users can’t root.
Due to Android’s open features, appops and other tools can try to prevent the app from accessing files, address books, locations and so on. But it is still unable to avoid some “rogue manufacturers” to mark user devices.
Let’s talk about several device IDs for IOS devices:
1. IMEI: International Mobile Equipment Identity code, which is forbidden to obtain after IOS 5.
2. IDFA: The Identifier for Advertisers, which was launched at IOS 6, is a compromise scheme to meet the tracking needs of advertisers and ensure that user devices are not tracked by the app. All apps on the same device get the same IDFA. The user can reset or turn off IDFA in the settings. Resetting the phone will also reset IDFA. It is currently the most important way to mark IOS devices.
3. Idfv: identifier for advertisers, which can be used to analyze the user’s behavior in the application. Different developers’ apps on the same device get different idfvs. After the user uninstalling all apps from the same developer, it will be reset.
4. MAC address: including WiFi MAC address and Bluetooth MAC address. After IOS 7, it was forbidden to get.
5. UDID: it is bound to the mobile phone to indicate the uniqueness of the device. After IOS 6, it was forbidden to get.
6. openUDID: the third-party user marking method. It can be changed after restoring the mobile phone. After IOS 7, it is forbidden to obtain.
Apple has always been a company that claims to be focused on user privacy. As a result, apple made it clear that “tracking users is prohibited.”
In fact, in IOS 5 and before, apple allowed manufacturers to freely obtain the UDID and IMEI codes bound to mobile phones.
However, since IOS 6, Apple has banned the app from acquiring IMEI due to the protection of users’ privacy. But considering that the advertisers want to monitor the effectiveness of advertising, a set of “hardware-independent identifiers” has been invented to provide advertisers with “advertising tracking”. This is IDFA (advertising identifier). At the same time, Apple allows users to “reset new IDFA” in the settings to avoid be long-term tracking.
Because IDFA is not unique (different apps get different IDFA, and users can reset it freely), once it is launched, it resisted by the developers. They found a way to get UDID (binding with hardware, identifying device uniqueness). This caused Apple’s fury, so on May 1, 2013, apple refused to put “those UDID collecting apps” on the app store. Of course, witty developers have come up with other ways to keep track of users through getting mac address or open UDID.
In September 2013, IOS 7 was released, and apple completely prohibited access to Mac and openUDID. Due to the closure of IOS, apps that do not meet the specifications are prohibited from being put on the shelves, so although IDFA (advertising identifier) can be reset by users, it has become the most common way for advertisers to mark users (but many users will not reset IDFA).
In June 2016, Apple released IOS 10. This time, Apple added the option of “restrict ad tracking”. Before IOS 10, users could reset IDFA continuously, but could not shut down it completely. From IOS 10, as long as the user opens this function, the app can only get a string of meaningless 0s!
Since the user can reset IDFA in the settings, is there any way to continue tracking after the user reset?
Rogue developers certainly have solutions. Apple provides a function: all app login information will be saved in the keychain, and the information saved in Keychain after deleting the app will not be deleted. This function was originally designed to “facilitate developers to provide free trial function based on devices to read them before account login information”. However, it is abused by some rogue developers, who store IDFA/IDFV information in Keychain to ensure that they can continue to track users even after resetting IDFA or uninstalling and reinstalling the app.
Of course, Apple is also aware of the abuse of keychain, so in the test versions of IOS 10 and IOS 11, the vulnerability is blocked (if the app is deleted, the data previously stored in Keychain will also be cleared.) But developers are strongly opposed to it (because many normal functions also rely on Keychain). So this feature has been rolled back in the official version.
However, to prevent the misuse of the keychain, Apple launched a new “Device Check” function on IOS 11, which allows developers to communicate with Apple servers through theirs, and sets two bits of data for a single device. To track users, such as whether they have received rewards.
For example, a user’s mobile phone trial uses an application for free in a certain month, during which, device check records the status of the mobile phone as “status A”.
After the trial period, the user stops using the free software, and DeviceCheck will record the device status as “status B”.
After users delete or initialize the iPhone software, using the DeviceCheck program will switch the phone to “state B” again, so as to avoid the trouble of “trial use the software again”.
At present, the device check function is not mandatory. Developers can still track users through IDFA + keychain. However, it can be predicted that this loophole will be blocked in the future.
Of course, there are many ways to track users. Device identification is just one of them. Others include fingerprints of third-party devices (Umeng, TalkingData), account login system (via FB, twitter, Google, etc.), operators and network terminals (some free WiFi), etc. But in terms of devices and operating systems alone, for ordinary users, IOS really can protect users’ privacy better than Android!