On the (In)Security of Non-resettable Device Identifiers in Custom Android Systems
Zikan Dong, Liu Wang, Guoai Xu, Haoyu Wang
TL;DR
This paper investigates the security and privacy implications of non-resettable device identifiers exposed through covert channels in custom Android ROMs. It introduces IDRadar, a static-analysis pipeline that combines usage analysis, heuristic filtering, manual verification, and access-control auditing to identify system properties and settings that store non-resettable identifiers across 1,814 ROMs. The study reveals thousands of such properties/settings, with a large fraction lacking adequate access control, and validates findings via remote real-device testing and PoCs across dozens of devices and brands. The work demonstrates that covert channels enable widespread, permissionless access to stable identifiers, advocates for stronger access-control and testing practices, and highlights recurring vulnerabilities within the same OEM families, underscoring significant privacy risks in customization ecosystems.
Abstract
User tracking is critical in the mobile ecosystem, which relies on device identifiers to build clear user profiles. In earlier ages, Android allowed easy access to non-resettable device identifiers like device serial numbers and IMEI by third-party apps for user tracking. As privacy concerns grew, Google has tightened restrictions on these identifiers in native Android. Despite this, stakeholders in custom Android systems seek consistent and stable user tracking capabilities across different system and device models, and they have introduced covert channels (e.g., system properties and settings) in customized systems to access identifiers, which undoubtedly increases the risk of user privacy breaches. This paper examines the introduction of non-resettable identifiers through system customization and their vulnerability due to poor access control. We present IDRadar, a scalable and accurate approach for identifying vulnerable properties and settings on custom Android ROMs. Applying our approach to 1,814 custom ROMs, we have identified 8,192 system properties and 3,620 settings that store non-resettable identifiers, with 3,477 properties and 1,336 settings lacking adequate access control, which can be abused by third-party apps to track users without permissions. Our large-scale analysis can identify a large number of security issues which are two orders of magnitude greater than existing techniques. We further investigate the root causes of these access control deficiencies. Validation on 32 devices through the remote testing service confirmed our results. Additionally, we observe that the vulnerable properties and settings occur in devices of the same OEMs. We have reported our findings to the vendors and received positive confirmations. Our work underscores the need for greater scrutiny of covert access channels to device identifiers and better solutions to safeguard user privacy.