12

According to Google, the ANDROID_ID (also known as SSAID) should not be accessible on Android 10 systems, without some preconditions (see: https://developer.android.com/about/versions/10/privacy/changes)

• If your app targets Android 10 or higher, a SecurityException occurs.

• If your app targets Android 9 (API level 28) or lower, the method
  returns null or placeholder data if the app has the READ_PHONE_STATE
  permission. Otherwise, a SecurityException occurs.

My problem here is, that I am still able to access the ANDROID_ID without any of above mentioned preconditions.

I created a Kotlin project with target platform Android 10 API level 29.

In this project I ran this code:

import androidx.appcompat.app.AppCompatActivity
import android.os.Bundle
import android.provider.Settings
import android.util.Log


class MainActivity : AppCompatActivity() {

    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        setContentView(R.layout.activity_main)
        Log.i("ANDROID ID", "##### READ Android ID ######")

        try {
            val my_android_id = Settings.Secure.getString(this.contentResolver, Settings.Secure.ANDROID_ID)
            Log.i("ANDROID ID", my_android_id)

        }
        catch (e: SecurityException){
            Log.i("ANDROID ID", "Secure Exception!")
        }

    }
}

The result is, that the ANDROID_ID gets written to the logcat without any problem. The value is no dummy value but the actual ANDROID_ID. This has been tested on a simulator and on a real device (Pixel 2).

Sebastian Dine
  • 815
  • 8
  • 23
  • what is the api of the device you are deploying on? – Daniel Oct 02 '19 at 11:53
  • It is running on API 29 – Sebastian Dine Oct 02 '19 at 11:55
  • You said that it returns the same result on emulator and emulator, is that right @SebastianDine? From the docs, I can guess that you are getting the "_placeholder data_" – Giorgos Neokleous Oct 02 '19 at 12:16
  • No, it is returning the a different result for device an emulator. it is no placeholder. – Sebastian Dine Oct 02 '19 at 12:21
  • sorry for that, my initial description was a bit misleading regarding this. – Sebastian Dine Oct 02 '19 at 12:23
  • I can confirm this behavior on Google Pixel running Android 10 with the above code and `targetSdkVersion 29`. – Enselic Oct 02 '19 at 15:48
  • @Enselic: you mean that it is still possible to access the identifier without any restriction, right? – Sebastian Dine Oct 03 '19 at 11:41
  • @SebastianDine Yes exactly. I can confirm that ANDROID_ID is readable even when it shouldn't be. – Enselic Oct 03 '19 at 11:44
  • 7
    @SebastianDine `Settings.Secure.getString(contentResolver, Settings.Secure.ANDROID_ID)` isn't mentioned in affected methods which throw `SecurityException` on Android 10. Why do you expect it to fail? – Alex Lipov Oct 09 '19 at 19:28
  • 2
    @SebastianDine From this link https://developer.android.com/about/versions/10/privacy/changes, I cannot find where it says that ANDROID_ID would no longer be accessible. Please can you point to that. The link talks about Device Serai, IMEI, MEID, Device id, SIM Serian and Subscription Id. Now there is a major difference between these identifiers and ANDROID_ID and that is the latter changes on Factory reset while identifiers like IMEI and all are non-resettable (unless device is rooted). I am also searching for a Id like ANDROID_ID. What did you finally use then ? – Dibzmania Dec 21 '19 at 06:13

1 Answers1

7

Maybe too late but according to this article in android O android developer's blog

  • The ANDROID_ID value won't change on package uninstall/reinstall, as long as the package name and signing key are the same. Apps can rely on this value to maintain state across reinstalls.
  • If an app was installed on a device running an earlier version of Android, the Android ID remains the same when the device is updated to Android O, unless the app is uninstalled and reinstalled.
  • The Android ID value only changes if the device is factory reset or if the signing key rotates between uninstall and reinstall events.
  • This change is only required for device manufacturers shipping with Google Play services and Advertising ID. Other device manufacturers may provide an alternative resettable ID or continue to provide ANDROID ID.
Poorya
  • 1,291
  • 6
  • 27
  • 57
  • I have one doubt , please help me on that, How to get the unique ID of the user which can not change even wipe out data, I heard about the "Advertisement ID", is it solve my problem, Please help me on it. Thanks – Ravindra Kushwaha Oct 21 '20 at 06:42
  • getting a fix ID is not easy because google wants to protect the user from unwanted tracking and privacy issues. you could use IMEI if the device have cellular support. but it comes with extra permissions. AS for advertisement ID, user can reset that. my go to solution is ANDROID_ID usually. – Poorya Oct 21 '20 at 09:53
  • Thanks for the suggestion!!! Is it not possible to get the ID which is same for all apps and not revert when device reboot or data wipe out ? – Ravindra Kushwaha Oct 21 '20 at 10:08
  • the only solution I can think of that meets all those requirements is IMEI number which as mentioned before only available if device comes with cellular support. – Poorya Oct 22 '20 at 01:58