18,000 Android apps with tens or hundreds of millions of installs on the Google Play Store have been found to violate Google’s Play Store Advertising ID policy guidance by collecting persistent device identifiers such as serial numbers, IMEI, WiFi MAC addresses, SIM card serial numbers, and sending them to mobile advertising related domains alongside ad IDs.
The issue here is that, while some of the companies behind these apps will most probably say that they’re not actually using persistent device identifiers for ad targeting, they are still violating the Google Play Store Advertising ID policy guidance.
Sending non-resettable identifiers besides the ad ID is especially worrisome considering that it effectively removes “the privacy-preserving properties of the ad ID” as explained in a report published by AppCensus.
To further illustrate why this is an issue, Appcensus’ Serge Egelman says that “in 2017, it was major news that Uber’s app had violated iOS App Store privacy guidelines by collecting non-resettable persistent identifiers. Tim Cook personally threatened to have the Uber app removed from the store.”