EXADPrinter: Semi-Exhaustive Permissionless Device Fingerprinting Within the Android Ecosystem
Authors: Sihem Bouhenniche (Univ. Lille, CNRS, Inria), Pierre Laperdrix (Univ. Lille, CNRS, Inria), Walter Rudametkin (Univ. Rennes, CNRS, Inria, IRISA, IUF)
Volume: 2026
Issue: 3
Pages: 278–295
DOI: https://doi.org/10.56553/popets-2026-0082
Abstract: Android is the dominant mobile operating system, powering more than 70% of mobile devices and presenting a significant opportunity for user tracking. As privacy regulations tighten around how personal data can be used and collected, trackers are looking for alternatives that are under less scrutiny to evade detection. Device fingerprinting has emerged as a key solution, allowing trackers to create identifiers without user consent in a stealthy manner. Despite the extensive research on fingerprinting done from a web browser in the past decade, device fingerprinting on Android remains relatively understudied, with limited literature exploring its specific techniques and implications for user privacy. In this study, we introduce EXADPrinter, a novel semi-exhaustive permissionless device fingerprinting framework targeting Android devices. Without requiring permissions, our framework extracts over 200,000 properties per device by leveraging methods such as Java reflection and execution of shell commands. Through a dedicated Android application and a 13-month data collection, we gathered over 4,004 fingerprints coming from 3,143 different Android devices, covering 68 manufacturers and 9 Android versions ranging from 8 to 16. Through our framework, we demonstrate that diverse data can be collected about the hardware, the operating system and the user without requiring special permissions. We show that combining 5 attributes without any IDs or personal information is enough to identify 100% of devices of our dataset, painting a bleak picture of the current state of the Android ecosystem. Moreover, our framework highlights the negative impact of custom operating systems and manufacturer-specific customizations as they enhance the effectiveness of device fingerprinting. Furthermore, EXADPrinter uncovers some leakage of sensitive information caused essentially by manufacturer customizations, including the exposure of user emails, emergency contacts, and persistent identifiers such as SIM identifiers.
Keywords: Device Fingerprinting, Tracking, Personally Identifiable Information, Android
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.