How can an app identify that it was reinstalled on the same device?

dlfantoma

More specifically, I have observed the following:

I install my banking app and it registers a payment confirmation token (whatever, this isn't really the point);
I then uninstall the app (or clear storage from app settings, same behavior is observed);
I reinstall the app. Then I just open the app (as if for the first time), and the banking app somehow detects that it's being installed on an already known device, because I get an SMS from the bank notifying me that the token has been disabled (again, specifics don't matter).

This means that somehow, even after reinstall, the app detects that it's being installed on an already known device.

Question is how can an app detect that it's being reinstalled on the same device? Is there a unique device ID that all apps have access to?

Moreover, I get the same behavior if I reinstall the app in the private space or in another user profile. Meaning the app is clearly identifying the device itself. The only permission this app has is Network.

fid02

dlfantoma I don't know what this specific app is doing, but there is general info available on persistent IDs and ways for apps to fingerprint users:

One way for an app to identify that you are using the same device is to use the Media DRM ID: it is an ID that is unique per app, but which is the same for the app on the specific device you are using. In other words, the app's Media DRM ID remains the same across OS installs. Have personally verified this. So even if you flash back to stock, or a different OS, on the same device, your banking app will see the same Media DRM ID – if it checks for it. Note that different apps see different Media DRM IDs.

Here's a GrapheneOS developer elaborating on ways for apps to fingerprint users: https://discuss.grapheneos.org/d/16015-is-it-possible-for-an-app-to-read-your-phone-number-internally/9

Here's an app you can use that demonstrates some of the ways your device can be fingerprinted by apps: https://github.com/trustdecision/trustdevice-android

dlfantoma

fid02 Thank you very much for clarifying this. It's honestly disconcerting to learn that GrapheneOS is not protecting against this kind of identification. Suppose I buy a used device and I use the same apps as the previous owner. Now every app/service we both use(d) can track how this device was exchanged.
I posted a few days ago about having some issues with my national bank's app. My only conclusion is that they're somehow blacklisting my device based on some unique identifier. Because the app is working on friends' phones, I even bought a new Pixel 6a, freshly installed GrapheneOS on it, and needless to say the very same banking app is working fine. Of course I called the bank and tried to reason with them about this, but to no avail (even though they might be blacklisting my device somehow, this only happens when running Graphene, the app is working fine on the stock OS on the same device).
So... yeah, quite disappointed that GrapheneOS does not include this sort of basic protection against unique device identification.

de0u

dlfantoma It's honestly disconcerting to learn that GrapheneOS is not protecting against this kind of identification.

https://github.com/GrapheneOS/os-issue-tracker/issues/2314

fid02

dlfantoma I posted a few days ago about having some issues with my national bank's app. My only conclusion is that they're somehow blacklisting my device based on some unique identifier.

If it is true that the app in question is collecting persistent device identifiers, then, if I'm interpreting the Google Play Developer Policy Center on user data correctly, it seems likely that the app is breaking Play Store policy:

Persistent device identifiers may not be linked to other personal and sensitive user data or resettable device identifiers except for the purposes of

Telephony linked to a SIM identity (for example, wifi calling linked to a carrier account), and

Enterprise device management apps using device owner mode.

These uses must be prominently disclosed to users as specified in the User Data policy.

It seems clear that several things apply here:

If the app is using persistent device identifiers, the app developer must prominently disclose this to you
The app developer must be able to provide you with a clear answer when you ask them whether their app is using persistent device identifiers
If the app is using persistent device identifiers for use cases other than those allowed by the Google Play Developer Policy Center, then reporting a policy violation seems justified: https://support.google.com/googleplay/android-developer/contact/policy_violation_report

hemlockiv

fid02

Persistent device identifiers may not be linked to other personal and sensitive user data

The definition in Google's TOS of "personal user data" and "sensitive user data" are probably important. I suspect that simply identifying a device as one that a particular account has logged into doesn't fall under those categories.