Android_ID alternative in Android O

Question

With the changes in Android O, ANDROID_ID is now scoped per app signing key, as well as per user. Factory resetting the device will also generate new ANDROID_ID value.

My questions is, what other alternative ID (that's more potent) does you folks use aside from Android ID?

I did some research learnt that Google suggested us to use AdvertisingId, but user can reset their AdvertisingId anytime they want.

I have also looked at the Key/Value backup to backup the existing Android ID and associate it and new values. This approach is good, but the backup is associated with a Google account. So this does not work if the user resets the device and sign-in with a different Google account.

My goal here is to get a device specific identifier to be used for fraud/malicious detection and I am having a difficult time trying to gauge what kind of identifier to use. I know that I can just use IMEI, but Google recommended to avoid using it and it also requires android.permission.READ_PHONE_STATE permission.

Answer 1

Best practices for unique identifiers article has a dedicated use-case for Anti-fraud:

Anti-fraud: Enforcing free content limits and detecting Sybil attacks

In this case, you want to limit the number of free content, such as articles, that a user can see on a device.

Use: Instance ID or GUID. On Android 8.0 (API level 26) and higher, SSAID is also an option, as it's scoped to the app-signing key.

Why this recommendation?

Using a GUID or Instance ID forces the user to reinstall the app in order to circumvent the content limits, which is a sufficient burden to deter most people. If this isn't sufficient protection, Android provides a DRM API, which can be used to limit access to content, includes a per-APK identifier, the Widevine ID.

Note that SSAID == Storage.Secure.ANDROID_ID.