What is this ESN device identifier apps seemingly can read?

ryrona

When opening app settings in Netflix, it displays various device information such as "Model: Pixel 7a" and "Version: 2024121200". But it also displays a (with my redactions in parenthesis) "ESN: NFANDROID1-PXA-P-GOOGLPIXEL=7A-(some number)-(very long and very unique looking sequence of hexadecimal digits)". If I search for ESN on internet it says it is a device unique hardware identifier for mobile devices similar to IMEI.

Is Netflix just fooling me, or has it actually been able to fetch a persistent unique identifier for my device?

This isn't supposed to be possible, from https://grapheneos.org/faq:

As of Android 10, apps cannot obtain permission to access non-resettable hardware identifiers such as the serial number, MAC addresses, IMEIs/MEIDs, SIM card serial numbers and subscriber IDs. Only privileged apps included in the base system with READ_PRIVILEGED_PHONE_STATE whitelisted can access these hardware identifiers. Apps targeting Android 10 will receive a SecurityException and older apps will receive an empty value for compatibility.

So what is this number, and should I worry?

ryrona

ryrona ESN: NFANDROID1-PXA-P-GOOGLPIXEL=7A-(some number)-(very long and very unique looking sequence of hexadecimal digits)

I have managed to confirm that the number in place of "(some number)" is the Widevine DRM version identifier. So the long unique looking number if probably the Widevine DRM client ID number. I remember now, that it has been mentioned that apps still can fetch a device unique number through Widevine without any specific permissions.

I have also found out that the whole "NFANDROID1" thingie is Netflix specific. So it is just a string Netflix is constructing that contains the model name, Widevine DRM certification level, Widevine DRM version number, and then the unique ID for my device.

I don't remember if Widevine gets reprovisioned with new keys at each factory default so it changes between factory resets or not. Either way, it is not an ESN number, but none the less device unique at least for the current factory reset cycle.

GrapheneOS

ryrona Regular apps don't have access to any form of serial number. What you've shown appears to be a way to fingerprint the type of device based on the device model, potentially OS version and other properties. That's not a unique identifier and if it uses things like app-visible configuration (locale, non-default color scheme, dark mode, etc.) that will change based on changes to the configuration.

DeletedUser202

I'm very much guessing here, but sounds like it might be from these?

https://grapheneos.org/faq#hardware-identifiers

[...] Apps can determine the model of the device (such as it being a Pixel 6) either directly or indirectly through the properties of the hardware and software. There isn't a way to avoid this short of the OS supporting running apps in a virtual machine with limited functionality and hardware acceleration. Hiding the CPU/SoC model would require not even using basic hardware virtualization support and these things could probably still be detected via performance measurements.

https://grapheneos.org/faq#non-hardware-identifiers

[...] Apps can generate their own 128-bit or larger random value and use that as an identifier for the app installation. Apps can create data in their app-specific external storage directory by default without needing permission, and in the legacy storage model before API 29 that data persists after the app is uninstalled, so it can be used to store an ID that persists through the app being uninstalled and reinstalled. However, external storage is under control of the user and the user can delete this data at any time, including after uninstalling the app. In the modern storage model, this data is automatically removed when the app is uninstalled. GrapheneOS includes Seedvault as an OS backup service which must be explicitly enabled, and it has the option to automatically restore app data when an app is reinstalled, so it wouldn't lose track of it being the same profile.

The ANDROID_ID string is a 64-bit random number, unique to each combination of profile and app signing key. The 64-bit limitation means it isn't particularly useful due to the possibility of collisions. It's tied to the lifetime of profiles and does not persist through profile deletion or a factory reset. This is comparable to an app targeting the legacy storage model storing a 64-bit random value in the app-specific external storage directory. In the future, GrapheneOS will likely change this to be tied to the lifetime of app installations rather than profiles. An app could still track the identity of the profile through data you give it access to or via data another app chooses to share with them.

GrapheneOS

ryrona The Widevine ID should already be app-specific via a keyed hash and provisioned specifically for the app for a given period of time. We have an officially planned feature of providing a toggle for accessing it which can provide something like a random value when disabled. We haven't fully decided on the details and need a finished implementation to ship it. It's tricky because we need to make sure there isn't another way to access it, etc.

de0u

ryrona I remember now, that it has been mentioned that apps still can fetch a device unique number through Widevine without any specific permissions. [...] I don't remember if Widevine gets reprovisioned with new keys at each factory default so it changes between factory resets or not.

Issue #2314 may be of interest.

As GrapheneOS noted, the DRM i.d. is supposed to be keyed, so that different web sites and different on-device apps get different i.d.'s (good) even if those i.d.'s persist across factory resets (arguably less desirable from the user perspective, but clearly quite desirable from the perspective of streaming providers).

ryrona

GrapheneOS The Widevine ID should already be app-specific via a keyed hash and provisioned specifically for the app for a given period of time.

de0u As GrapheneOS noted, the DRM i.d. is supposed to be keyed, so that different web sites and different on-device apps get different i.d.'s (good) even if those i.d.'s persist across factory resets

Okay, if it is different per app that is good. If it got reprovisioned with new keys after every factory reset I would say there is no real problem at all. Is there any particular reason it isn't being reprovisioned with new keys after a factory reset?

de0u but clearly quite desirable from the perspective of streaming providers

Not really. They only care that the media cannot be copied or screen recorded in any way. So they only care to know the media will be encrypted until it reaches secure hardware or from their perspective trusted software. They don't really care what device it is, or if it is the same device as before, just that it is a from their perspective a secure device. So theoretically at least, the hardware can generate a new key pair at factory reset, and then get a certificate for that during provisioning, proving their identify with a persistent key pair never revealed or indirectly used for apps in any way. But I don't know how Widevine specifically is designed. They might not have considered privacy to that degree. Actually, I think even signature blinding might be usable here, but that is beyond my cryptographic knowledge.

de0u

ryrona If it got reprovisioned with new keys after every factory reset I would say there is no real problem at all. Is there any particular reason it isn't being reprovisioned with new keys after a factory reset?

The key information is managed by the TEE. If the TEE doesn't expose an IPC request for forgetting the provisioning information, that would be a particular reason.

de0u Different web sites and different on-device apps get different i.d.'s even if those i.d.'s persist across factory resets (arguably less desirable from the user perspective, but clearly quite desirable from the perspective of streaming providers).

ryrona Not really. They only care that the media cannot be copied or screen recorded in any way. So they only care to know the media will be encrypted until it reaches secure hardware or from their perspective trusted software. They don't really care what device it is, or if it is the same device as before, just that it is a from their perspective a secure device.

Copy protection is definitely one thing they care about!

However, though this is admittedly speculation on my part, given the existence of short-term "teaser rates" (time-limited discounts for new subscribers), it seems at least a little bit plausible that a secondary desire of streaming services is, indeed, identifying individual devices over time. If that weren't the case, people could reset to the cheaper teaser rate repeatedly by forgetting the Widevine keying information. Again, I can't cite a source for this, but it aligns with the observed reports that neither factory reset nor installing a complete new OS wipes the Widevine keying information.

ryrona

de0u However, though this is admittedly speculation on my part, given the existence of short-term "teaser rates" (time-limited discounts for new subscribers), it seems at least a little bit plausible that a secondary desire of streaming services is, indeed, identifying individual devices over time. If that weren't the case, people could reset to the cheaper teaser rate repeatedly by forgetting the Widevine keying information.

I haven't seen any streaming service offering such discounts while also allowing you to pay anonymously. Usually when paid streaming services offers a "first month free" discount or similar, they still require you to sign up for monthly charges by registering your debit card and then approving a zero charge for the first month. So in that case the persistent identifier would be your real identity instead. I guess tracking persistent identifiers on devices would be seen as an alternative to be able to offer such discounts while allowing anonymous payments, it would still be more privacy respecting, but it doesn't seem to be anything they care about today. And ad-supported as well as free streaming services obviously have no discounts, so wouldn't need to know any persistent identifier at all, just that you are in the right country and that you cannot copy the video stream.

I have been able to take advantage of discounts, while streaming solely inside a pure virtual machine. So they definitely aren't checking for persistent hardware identifiers. Quality may be restricted to 480p or 720p though when not having hardware based DRM, even when paying full price. But for discounts they seem to rely on other things, as I have been able to take advantage of them anyway.

But maybe it might make sense, to have such a persistent identifier, if we wish for them to start accepting anonymous payments in the future.