Posted by Giles Hogben, Privacy Engineer
Android O introduces some improvements to help provide user control over the use of identifiers. These improvements include:
Here are some of the device identifier changes for Android O:
Additionally in Android O:
To be consistent with runtime permissions required for access to IMEI, use of
android.os.Build.SERIAL is deprecated for apps that target Android O or newer.
Instead, they can use a new Android O API, Build.getSerial(), which
returns the actual serial number, as long as the caller holds the PHONE
permission. In a future version of Android, apps targeting Android O will see
Build.SERIAL as "UNKNOWN". To avoid breaking legacy app functionality, apps
targeting prior versions of Android will continue see the device's serial
number, as before.
Net.Hostname provides the network hostname of the device. In previous versions
of Android, the default value of the network hostname and the value of the DHCP
hostname option contained Settings.Secure.ANDROID_ID. In Android O, net.hostname
is empty and the DHCP client no longer sends a hostname, following IETF RFC 7844
(anonymity profile).
We collaborated with security researchers1 to design robust MAC address randomization for Wi-Fi
scan traffic produced by the chipset firmware in Google Pixel and Nexus 5X
devices. The Android Connectivity team then worked with manufacturers to update
the Wi-Fi chipset firmware used by these devices.
Android O integrates these firmware changes into the Android Wi-Fi stack, so that devices using these chipsets with updated firmware and running Android O or above can take advantage of them.
Here are some of the changes that we've made to Pixel, Pixel XL and Nexus 5x firmware when running O+:
In Android O and above, the GET_ACCOUNTS permission is no longer sufficient to
gain access to the list of accounts registered on the device. Applications must
use an API provided by the app managing the specific account type or the user
must grant permission to access the account via an account chooser activity. For
example, Gmail can access Google accounts registered on the device because
Google owns the Gmail application, but the user would need to grant Gmail access
to information about other accounts registered on the device.
Apps targeting Android O or later should either use AccountManager#newChooseAccountIntent() or an authenticator-specific method to gain access to an account. Applications with a lower target SDK can still use the current flow.
In Android O, apps can also use the AccountManager.setAccountVisibility()/ getVisibility() methods to manage visibility policies of accounts owned by those apps.
In addition, the LOGIN_ACCOUNTS_CHANGED_ACTION broadcast is deprecated, but still works in Android O. Applications should use addOnAccountsUpdatedListener() to get updates about accounts at runtime for a list of account types that they specify.
Check out Best Practices for Unique Identifiers for more information.
Android O introduces some improvements to help provide user control over the use of identifiers. These improvements include:
- limiting the use of device-scoped identifiers that are not resettable
- updating the Android O Wi-Fi stack in conjunction with changes to the Wi-Fi chipset firmware used by Pixel, Pixel XL and Nexus 5x phones to randomize MAC addresses in probe requests
- updating the way that applications request account information and providing more user-facing control
Device identifier changes
Android ID
Additionally in Android O:
- The ANDROID_ID value won't change on package uninstall/reinstall, as long as the package name and signing key are the same. Apps can rely on this value to maintain state across reinstalls.
- If an app was installed on a device running an earlier version of Android, the Android ID remains the same when the device is updated to Android O, unless the app is uninstalled and reinstalled.
- The Android ID value only changes if the device is factory reset or if the signing key rotates between uninstall and reinstall events.
- This change is only required for device manufacturers shipping with Google Play services and Advertising ID. Other device manufacturers may provide an alternative resettable ID or continue to provide ANDROID ID.
Build.SERIAL
Net.Hostname
Widevine ID
Unique system and settings properties
- ro.runtime.firstboot: Millisecond-precise timestamp of first boot after last wipe or most recent boot
- htc.camera.sensor.front_SN: Camera serial number (available on some HTC devices)
- persist.service.bdroid.bdaddr: Bluetooth MAC address property
- Settings.Secure.bluetooth_address: Device Bluetooth MAC address. In O, this is only available to apps holding the LOCAL_MAC_ADDRESS permission.
MAC address randomization in Wi-Fi probe requests
Android O integrates these firmware changes into the Android Wi-Fi stack, so that devices using these chipsets with updated firmware and running Android O or above can take advantage of them.
Here are some of the changes that we've made to Pixel, Pixel XL and Nexus 5x firmware when running O+:
- For each Wi-Fi scan while it is disconnected from an access point, the phone uses a new random MAC address (whether or not the device is in standby).
- The initial packet sequence number for each scan is also randomized.
- Unnecessary Probe Request Information Elements have been removed: Information Elements are limited to the SSID and DS parameter sets.
Changes in the getAccounts API
Apps targeting Android O or later should either use AccountManager#newChooseAccountIntent() or an authenticator-specific method to gain access to an account. Applications with a lower target SDK can still use the current flow.
In Android O, apps can also use the AccountManager.setAccountVisibility()/ getVisibility() methods to manage visibility policies of accounts owned by those apps.
In addition, the LOGIN_ACCOUNTS_CHANGED_ACTION broadcast is deprecated, but still works in Android O. Applications should use addOnAccountsUpdatedListener() to get updates about accounts at runtime for a list of account types that they specify.
Check out Best Practices for Unique Identifiers for more information.
Notes
- Glenn Wilkinson and team at Sensepost, UK, Célestin Matte, Mathieu Cunche: University of Lyon, INSA-Lyon, CITI Lab, Inria Privatics, Mathy Vanhoef, KU Leuven ↩