Fingerprinting SDKs for Mobile Apps and Where to Find Them: Understanding the Market for Device Fingerprinting

TL;DR

This large-scale study analyzes third-party SDK behaviors in mobile apps, revealing that fingerprinting is widespread across various SDK types and not limited to advertising SDKs, complicating mitigation efforts.

Contribution

The paper provides the largest dataset and analysis of SDK fingerprinting behaviors, highlighting the diversity and complexity of exfiltration signals in mobile ecosystems.

Findings

Ads SDKs account for 30.56% of fingerprinting behaviors.

Nearly 24% of fingerprinting SDKs have unknown or unclear purposes.

Only 2% of exfiltrated APIs are used by most SDKs, complicating detection.

Abstract

This paper presents a large-scale analysis of fingerprinting-like behavior in the mobile application ecosystem. We take a market-based approach, focusing on third-party tracking as enabled by applications' common use of third-party SDKs. Our dataset consists of over 228,000 SDKs from popular Maven repositories, 178,000 Android applications collected from the Google Play store, and our static analysis pipeline detects exfiltration of over 500 individual signals. To the best of our knowledge, this represents the largest-scale analysis of SDK behavior undertaken to date. We find that Ads SDKs (the ostensible focus of industry efforts such as Apple's App Tracking Transparency and Google's Privacy Sandbox) appear to be the source of only 30.56% of the fingerprinting behaviors. A surprising 23.92% originate from SDKs whose purpose was unknown or unclear. Furthermore, Security and Authentication SDKs are linked to only 11.7% of likely fingerprinting instances. These results suggest that addressing fingerprinting solely in specific market-segment contexts like advertising may offer incomplete benefit. Enforcing anti-fingerprinting policies is also complex, as we observe a sparse distribution of signals and APIs used by likely fingerprinting SDKs. For instance, only 2% of exfiltrated APIs are used by more than 75% of SDKs, making it difficult to rely on user permissions to control fingerprinting behavior.