Mobile devices expose unique identifiers that can be used to identify users across applications or devices. These identifiers put user privacy at risk, as they might allow the tracking of user activity without consent, while making it difficult or impossible for users to reset them.

Privacy violations can cause apps to be removed from app stores and can result in legal action or loss of trust from users.

Ask Yourself Whether

• The identifier is used to track users between applications or devices.
• The identifier cannot be easily reset by the user.
• The identifier is connected to personally identifiable information.
• The identifier is linked to the device hardware (MAC address, IMEI, etc).

There is a risk if you answer yes to any of these questions.

Recommended Secure Coding Practices

• Whenever possible, use identifiers that users can easily reset.
• Don’t link identifiers to personally identifiable information without collecting users' explicit consent.
• Avoid using identifiers that are linked to the device hardware (MAC address, IMEI, etc).
• Only use the Advertising ID for user profiling or ads use cases.

For ads use cases, use the Advertising ID provided by the platform. This identifier is designed to be reset by the user and has an associated Personalized Ads flag.

For non-ads use cases, the most privacy-friendly identifiers that can be used are:

• Firebase installation ID (FID)
• A privately stored GUID generated by the app

Sensitive Code Example

String uid = Settings.Secure.getString(contentResolver, Settings.Secure.ANDROID_ID); // Sensitive
User user = new User(
    uid,
    "John",
    "Doe",
);

Compliant Solution

String uid = UUID.randomUUID().toString();
User user = new User(
    uid,
    "John",
    "Doe",
);

See

• OWASP - Mobile Top 10 2024 Category M6 - Inadequate Privacy Controls
• CWE - CWE-213 - Exposure of Sensitive Information Due to Incompatible Policies
• Android Documentation - Best practices for unique identifiers