Android wallpaper fingerprints [LWN.net]

By Jake Edge
October 26, 2021

Uniquely identifying users so that they can be tracked as they go about their business on the internet is, sadly, a major goal for advertisers and others today. Web browser cookies provide a fairly well-known avenue for tracking users as they traverse various web sites, but mobile apps are not browsers, so that mechanism is not available. As it turns out, though, there are ways to "fingerprint" Android devices—and likely those of other mobile platforms—so that the device owners can be tracked as they hop between their apps.

While cookies provide an easy mechanism to assign a unique ID to a particular browser instance, there are ways around being tracked that way. Since cookies are stored locally, they can be deleted or the browser can restrict how they can be used. Beyond that, users can instruct their browsers to reject cookies. Because of that, at least in part, browser fingerprinting came about.

Browser fingerprinting originally used JavaScript to query various characteristics of the browser environment (e.g. display size, plugins and fonts installed, localization settings) and combined that with information like the User-Agent string sent by the browser to derive an ID that was often unique to the user. As browser makers tried to reduce the amount and diversity of information revealed, tracking companies evolved newer techniques (e.g. canvas fingerprinting). The Panopticlick tool from the Electronic Frontier Foundation (EFF) helped demonstrate fingerprinting and the organization now has the Cover Your Tracks tool that shows how well the browser is protecting against fingerprinting.

In the mobile space, many of the same fingerprinting techniques work within the browsers, but these days users often use apps to access content, rather than a browser. Apps can simply directly send whatever information they deem necessary to do their job; they do not have to rely on users to store and preserve cookies. But Android apps do not have access to JavaScript and the browser environment directly, and the Android API is somewhat restrictive on what kinds of information about the environment apps can get. They also cannot directly share an ID with each other on the phone. So other techniques are needed.

In a recent blog post, Alexey Verkhovsky at FingerprintJS detailed one way to fingerprint devices using information extracted from wallpaper images on Android phones. Up until Android 8.1 (released in December 2017), apps could simply access the wallpaper images directly, but Google tightened the ability to use the getDrawable() call, by requiring the READ_EXTERNAL_STORAGE permission, in that release. At the same time, though, a new getWallpaperColors() call was added to allow apps to get the three main colors used by the wallpaper images for the home or lock screens without requiring any special permissions. Android 12, released in October 2021, will use that information to theme the phone user interface.

The post looks at how those color values can be combined into a device fingerprint that will only change when the user, presumably infrequently, changes their wallpaper. There is a demonstration app on the Google Play store; a screen shot from running it on my phone is shown at right. It notes that my color combinations are unique in a small sample size, but my wallpaper also changes daily, so the tracking value of the ID generated would seem to be fairly low—and the same as others using the Android-provided "seascape" wallpaper.

The post suggests using default wallpapers and not changing them as mitigations for the information leak. Custom wallpapers or those of personal photos will make the phone more identifiable. Frequently changing wallpapers automatically would seem to help thwart the stability of the ID, as well. Though running through the same set of personal photos, for example, would add another level of identifiability if that were deemed important by an app author.

FingerprintJS is a company focused on device fingerprints for fraud prevention in banking, commerce, gaming, and so on. Much of its code is available on GitHub, including the source for the wallpaper ID app and a general library for Android fingerprinting. There are other mechanisms for device identification, as an earlier blog post covers, but some of those either have been removed or may disappear over time. In addition, those identifiers may not be stable or can be spoofed, which makes them less than ideal for fraud prevention. But, of course, IDs that can be used to detect unauthorized transactions can also be used for other things—user tracking, for example.

The library has a "playground" app that can be installed to further investigate the kinds of information that can be gleaned from a phone. The variety and amount of information available is truly eye-opening, including such things as installed apps and localization choices—all of which are available to an app without giving it any extra permissions.

While the instability of wallpaper fingerprints may make them unsuitable for most use cases, the ability for any app to gain access to the data shows something of an unintended consequence of providing information for theming. As the earlier blog post notes, other properties of the device can be combined to create IDs that are likely to be unique and are stable, possibly over the entire lifetime of a device. As Android ratchets down access to some of that kind of information, which seems inevitable, Google probably will not remove all of it, for reasons the wallpaper blog post makes clear:

Google has not restricted these for a number of years now, and it is unlikely that it ever will. At the end of the day, doing so would impact Android's efficacy as an advertising platform — and for the world's largest tech firm, it's a constant juggle between balancing these interests with protecting user privacy.

It is no surprise that unique IDs are desired for more than just the browser. Fraud prevention is certainly a laudable goal, for example. But being able to peer inside users' activities is rather less laudable, though it is even more desirable for entities ranging from advertisers to criminals to governments (and all of the shades of gray in between). It all adds up to more evidence, if any was truly needed, that our phones are privacy nightmares, which is something that we are probably never going to escape—at least in the standard mobile operating systems.

Index entries for this article
Security	Android
Security	Anonymity

to post comments

Android wallpaper fingerprints

Posted Oct 27, 2021 5:45 UTC (Wed) by felixfix (subscriber, #242) [Link] (5 responses)

I have a solid black background and lock screen, and it says 75 users out of 13xx.

Android wallpaper fingerprints

Posted Oct 27, 2021 7:50 UTC (Wed) by wsy (subscriber, #121706) [Link] (3 responses)

Same as me :)

Android wallpaper fingerprints

Posted Oct 27, 2021 9:14 UTC (Wed) by lkundrak (subscriber, #43452) [Link] (2 responses)

who's the other 73 then

Android wallpaper fingerprints

Posted Oct 27, 2021 9:22 UTC (Wed) by bojan (subscriber, #14302) [Link] (1 responses)

You mean 72, right? :-)

Android wallpaper fingerprints

Posted Oct 27, 2021 15:12 UTC (Wed) by felixfix (subscriber, #242) [Link]

Awesome place, LWN is, has the most interesting users, all 90 of 'em :-)

Android wallpaper fingerprints

Posted Oct 28, 2021 6:55 UTC (Thu) by cpitrat (subscriber, #116459) [Link]

On my side, I have picked a "basic color" from the parameters in wallpaper and style so I'd expect the system to return it to the app, but no. It returns the colors from the wallpapers. Looks like a bug to me...

Android wallpaper fingerprints

Posted Oct 27, 2021 9:12 UTC (Wed) by developer122 (guest, #152928) [Link]

I would expect frequently changing wallpapers to increase identifiability, no decrease it.

Suppose I have Alice_app and Bob_app, and they want to know if they've been installed on the same phone together. They could look at the three theme colors and both realize that they're on default wallpaper A, of system provided wallpapers A, B, C, and D. Now, maybe lots of people use wallpaper A, so that's not a great hint.

However, suppose that they both take a series of measurements, timestamped with the system time? If they both see the same sequence of transitions from A to C to B to D to A to D to C, then there's a much higher probability that they're both on the same phone, as it's unlikely two different phones would pick the same randomly generated sequence. Here we're able to record changes tot he environment over time and match them. Unless the OS was programmed to pick backgrounds at scheduled time in a predetermined order, I think is is a potentially powerful (if not immediate) fingerprinting technique.

Who says you need to match users together immediately? You could fold the histories of matching pones together after you determine a match, then continue to merge them going forward.

Android wallpaper fingerprints

Posted Oct 28, 2021 13:55 UTC (Thu) by syrjala (subscriber, #47399) [Link] (6 responses)

If only we had this thing (let's call it a "toolkit") that can isolate the business logic from the UI rendering. If the application just describes its UI using abstract elements (say "widgets") then there is no need for it to know anything about specific colors/etc. used to actually render the UI.

Android wallpaper fingerprints

Posted Oct 28, 2021 14:11 UTC (Thu) by immibis (subscriber, #105511) [Link] (5 responses)

And how are those widgets implemented? Either in-process - in which case you can just get access to them - even if they are protected by Java mechanisms you can scan memory with native code. Or out-of-process - in which case your opportunities for UI customization are severely limited. And you have to restrict the app from taking screenshots of itself!

Android wallpaper fingerprints

Posted Oct 28, 2021 15:31 UTC (Thu) by dskoll (subscriber, #1630) [Link] (4 responses)

Why would most apps need to take screenshots of themselves?

Android wallpaper fingerprints

Posted Oct 28, 2021 15:47 UTC (Thu) by immibis (subscriber, #105511) [Link]

I dunno, some kind of picture-in-picture or other postprocessing effect. I know there are some games that screenshot themselves for the pause screen background, but that's not on Android. The point is that you'd generally expect apps to be able to read their own pixels. Changing that will probably break something.

IIRC Android apps work by sending screenfuls of pixels to the compositor process. How will you stop them seeing what they're sending?

Android wallpaper fingerprints

Posted Oct 28, 2021 23:38 UTC (Thu) by derobert (subscriber, #89569) [Link] (2 responses)

One example, Firefox's tab chooser shows what each tab looks like. Easiest way to implement that is of course to just scale down the pixels that were displayed.

Android wallpaper fingerprints

Posted Oct 30, 2021 8:59 UTC (Sat) by mkbosmans (subscriber, #65556) [Link] (1 responses)

Sure, but in that analogy the browser is the toolkit and whatever is running inside the tab is the app. So the app itself does not need to know the pixel output.

Android wallpaper fingerprints

Posted Oct 30, 2021 9:15 UTC (Sat) by derobert (subscriber, #89569) [Link]

That's not an analogy; Firefox is an Android app (as well as desktop of course). It also happened to be the app I was using at the moment (to read LWN).

Android wallpaper fingerprints

Posted Oct 30, 2021 18:53 UTC (Sat) by giraffedata (guest, #1954) [Link] (2 responses)

I don't get it. What kind of mobile apps are we talking about? The ones I'm thinking of (that access a server) have my email address. What more identity could they want?

Android wallpaper fingerprints

Posted Oct 31, 2021 16:05 UTC (Sun) by ttuttle (subscriber, #51118) [Link]

Games, for one.

Android wallpaper fingerprints

Posted Nov 1, 2021 10:42 UTC (Mon) by rschroev (subscriber, #4164) [Link]

Maps, weather apps, timetable apps for public transportation, ... . And then there are all the apps that don't really need to access a server, but do it anyway; to show ads, or to collect telemetry data.

In short, probably most of the apps on most people's phones.

Android Apps As Adversaries

Posted Nov 13, 2021 10:58 UTC (Sat) by sammythesnake (guest, #17693) [Link] (1 responses)

I've long fantasised about having some kind of virtualized environment for the apps on my Android phone.

I want to be able to run an app that insists on all sorts of permissions that I'd rather not give it. There are many that could be given more restricted access to sensitive data or fake data rather simply.

Back in the day, CyanogenMod did some of this stuff, but it went under before getting to the point I thought they were heading for :-(

Local file storage should be (by default) restricted to one directory used only by that one app and the file manager

Requests for location data could easily always return some fixed value, ideally with the indicated accuracy set to a low value

Apps that insist on being a device administrator could be told they are without their changes to system settings changing anything other than what they're told the system settings are

Information about wi-fi/mobile networks etc. could be configured to always give the correct lie configured for each app

Demands to be always active or start on boot-up can be ignored

All sorts of fingerprinting relevant stuff like wallpapers, installed apps, localisation, etc. could be faked to an extremely bland default (just the Google default Google config)

While we're at it, an advert blocking proxy would be nice, though probably somewhat more subtle to implement, many apps will simply fail to work if they don't get their adverts to serve and faking them might be both fiddly and app specific...

Android Apps As Adversaries

Posted Dec 2, 2021 23:17 UTC (Thu) by mcortese (guest, #52099) [Link]

An ad-blocking proxy does exist. Look for Blokada on f-droid.