For a long time, ANDROID_ID, Google’s unique system-generated identifier, has been popular for helping detect potential fraud. App developers and advertisers have also used it to understand user behavior to aid research and marketing.
However, though simple and fairly stable, it has uncertain access that often requires permissions. Yet, with elevated access and potential security implications, asking for any permissions is unrealistic. Moreover, ANDROID_ID doesn’t survive factory reset, is easy to spoof, and its usage for ad purposes is being replaced with AdvertisingID.
For these and several other reasons, device fingerprinting techniques are prevalent, even approaching ubiquity, and for good reasons. A well-implemented fingerprint is persistent, collision-resistant, stable, harder to spoof, and can change over time due to device updates.
Why device identification matters
Device identification is essential to a mobile developer's toolkit for detecting and preventing fraud.
An accurate and persistent device ID can flag users most likely to commit fraud. It can also mitigate fraudulent attempts by incorporating authentication flows or blocking users based on their usage history. From download to login to payment, the number of ways someone can commit fraud is ever-increasing. Depending on your application, the most lucrative forms of fraud will vary.
Android developers had it easy in the past, with access to several system-provided identifiers, including hardware signals and the system-generated Android ID (or SSAID). However, many of these signals are now unavailable to app developers, with more expected to be removed, restricted, or require opt-in permissions from users in coming updates.
Additionally, remaining identification methods (including SSAID) are easy for dedicated fraudsters to spoof, providing little protection against sophisticated fraud attacks.
What is device fingerprinting?
Device fingerprinting is an advanced device identification technique that uses a combination of attributes unique to a device’s configuration and how it’s used to form a distinctive ID or “fingerprint.” This ID is unique to each configuration and differentiates one user from another. Device fingerprinting is the foundational technique of device intelligence, helping recognize connections between users and flag suspicious devices.
The attributes used to build a fingerprint come from various sources, including:
- Device hardware details, including processor type, model, screen resolution, and battery information
- Device software information, like the operating system, browser version, plugins, and installed fonts
- Network-related information, such as IP address, internet service provider (ISP), timezone, and geolocation
- User behavior patterns, including typing speed, mouse movements, and browsing habits
What can device fingerprinting do?
Device fingerprinting generates a lot of information about user behavior, which teams throughout an organization can leverage for more effective security, fraud prevention, and marketing initiatives.
Unique identification
Fingerprinting designates an identity after analyzing information relevant to a device’s configuration, such as IP address, plugins, browser version, geolocation, mouse movement, and browsing habits.
Although such data is not distinctive to a device, it’s extremely rare to find two devices with the exact same attributes, making the identification unique.
Analysis and research
Device fingerprinting entails collecting data, normalizing it to make it directly comparable, and extracting the relevant features and attributes. Then, based on the collected data, a fingerprint is generated.
Stored fingerprints serve as reference points marketers can use to understand user behavior patterns to help their marketing efforts. For example, a website can keep track of user information stored to implement better shopping cart functionality.
Fraud detection and prevention
The best-kept secret in fingerprinting technology is its potential for applications beyond the browser. Mobile device fingerprinting, for example, allows app developers to identify users who are applying more sources of entropy than is available inside the browser.
This aids in fraud detection, as spotting fingerprint anomalies can indicate potential unauthorized access. Most importantly, it makes it much harder to circumvent identification as it’s difficult to spoof all available signals.
Device fingerprinting also allows more effective behavior monitoring for fraud detection and prevention.
Fraudsters use device spoofing, VPNs, private or incognito mode, different accounts, and other methods to cover their tracks. However, it’s much harder to prevent fingerprinting or delete a fingerprint after it’s collected.
Ad targeting and marketing
Though initially developed to prevent fraud and software piracy, device fingerprinting is now a powerful tool for online marketers.
Fingerprinting helps app developers and advertisers monitor and target users. They can recognize returning users and then, based on their fingerprints, form a clear picture of their interests, preferences, and purchase habits. Businesses can use this information to tailor their content, advertisements, and services to individual users based on device usage patterns.
Consumers are inundated with digital advertising, and a personalized ad is the best way to stay ahead of the curve and ensure a successful marketing campaign. You can even pool user data to create user cohorts, making it easier for advertisers to reach intended audiences with their marketing campaigns.
You may be thinking, “I can do that with ANDROID_ID.” However, in recent years, governments and tech companies have imposed rules (like the EU’s General Data Protection Regulation (GDPR) in 2018) to safeguard internet users’ privacy.
Most recently, Google began restricting third-party cookies by default for 1% of Chrome users and plans to ramp up those restrictions fully by the end of 2024. For these reasons, device fingerprinting is a more reliable option than cookies for an advertising identifier.
At-risk Android device identification methods
Historically, there have been three main ways to identify a device in Android without fingerprinting:
- Use hardware identifiers: Android provides access to hardware identifiers, such as MAC address and IMEI, but with restrictions. So, although it’s a durable option that can survive app reinstallation and factory reset, it’s unavailable for most applications.
- Generate a file with UUID on the first launch of an app: Like with browser cookies, this method generates a unique ID and stores it on the Android device. It’s simple and stable and unlikely to be restricted. But as with cookies, users can clear the file by uninstalling the app.
- Use system-provided identifiers: These include ANDROID_ID, which is being replaced with Advertising ID, and Google Service Framework ID (GSF ID), which is at risk of being discontinued in future updates. Although both identifiers are stable and can survive app reinstallation, they have uncertain access, are easy to spoof, and can’t survive a factory reset.
These three methods share a common theme: They’re ineffective for some use cases today or are likely to be discontinued soon. Therefore, Android developers must find alternative ways to identify users before these options are no longer available.
The advantages of device fingerprinting for Android identification
There’s a lot you can gain from going beyond browser fingerprinting and supplementing your fraud detection and advertising efforts with device fingerprinting:
Enhanced security and fraud prevention
Systems can identify suspicious behavior that signals a potential fraud attempt by monitoring and analyzing device fingerprints. If a recognized device exhibits suspicious activity, such as a different device location or OS, which is characteristic of potential security breaches, the system triggers alerts. It may trigger notifications for additional authentication steps or temporarily restrict access until the user’s identity is confirmed.
Device fingerprint sensors also detect when multiple accounts are accessed from the same unrecognized device — typical of a coordinated attack.
Thus, device fingerprinting can help flag and prevent financial fraud, identity theft, and other malicious actions and block or restrict bot-driven access.
Account user identification
Device fingerprinting adds a user authentication layer, strengthening the security of multi-factor authentication strategies.
In addition to user credentials, it verifies the characteristics of the device they’re using, comparing them with the previously stored ones. An attacker with a stolen password and one-time code must still match the device’s fingerprint before they can gain access. This is especially helpful in combating illegal activity like account takeovers where criminals have intercepted or stolen verification codes.
Improved user experience
Consumers expect a more personalized experience when interacting with brands. By gathering information about a user’s device and preferences, device fingerprinting can help improve the overall user experience.
Fingerprinting helps discern users’ interests, preferences, and habits, which can guide marketers in creating customized content and recommendations for more relevant and personalized interaction. It can also help optimize content specifically for the device being used.
How the Fingerprint Android Library works
The Fingerprint Android Library combines the above-mentioned Android identification techniques to provide two stable and unique identifiers: the device ID and ANDROID_ID.
While both identifiers are stable, spoofing them with the Xposed framework is possible. To counteract this, the library generates a unique device fingerprint with the best balance of stability and uniqueness. It also includes hardware signals in the recommended Device Fingerprint configuration.
Hardware signals remain the same even after a factory reset and are highly stable, contributing to an incremental increase in uniqueness.
The Fingerprint Android Library has an open-source community, used by over 8,000 websites and with over 20,000 stars on GitHub. This community is continually improving the stability and uniqueness of our DeviceID. Additionally, it’s possible to manually change the library’s platform signals if needed, allowing developers flexibility.
Why you should use our Android Fingerprint Library
User privacy across platforms makes fraud prevention with Android identifiers unreliable. In contrast, our Android Fingerprint Library provides a stable device fingerprint generated using all available platform signals.
This DeviceID hash remains up-to-date with Android’s policies, guaranteeing high accuracy as rules change.
For example, to apply Android’s IFDA as an identifier, the user must explicitly opt-in to tracking permissions for advertising purposes. Our library does not require additional permissions.
Fingerprint’s Android Library is in Kotlin, a modern and safe programming language that helps ensure the library doesn’t crash. It also doesn’t require transitive dependencies (except Kotlin-stdlib for Java-only projects), and the integration is seamless, requiring only a few lines to add the dependency. Further, it provides convenient forward and backward compatibility without unexpected fingerprint changes during updates.
Elevate your device identification process with Fingerprint
On their own, Android identifiers can be unreliable. But by complementing them with device fingerprinting, you can enhance security and fraud prevention, account identification, and user experience.
Our Android Fingerprint Library provides a stable device fingerprint, requires no additional permissions, provides compatibility, and has manually adjustable platform signals for flexibility. We also have an open-source community that’s continually improving our DeviceID.
If your company is interested in further device fingerprint accuracy and stability, we would love to hear from you. Contact us today and elevate your device identification process.
FAQ
Device fingerprinting is a device identification method that uses device configuration and user behavior to create a unique ID. It's a key technique in device intelligence for identifying user connections and detecting suspicious devices.