Changes to device identifiers in Android O

[[189198]]

Android O introduces several improvements to help users control the use of identifiers. These improvements include:

• Restrict use of non-resettable device-scoped identifiers
• Updates the Android O WLAN stack to change the WLAN chipset firmware used by Pixel, Pixel XL, and Nexus 5x phones to randomize MAC addresses in probe requests
• Update the way apps request account information to provide more user-facing controls

Device identifier changes

Here are some of the changes made to device identifiers in Android O:

Android ID

In O, the Android ID (Settings.Secure.ANDROID_ID or SSAID) has a different value for each app and each user on the device. Developers who need to use a device-scoped identifier should instead use a resettable identifier, such as the Advertising ID, to give users more control. The Advertising ID also provides a user-facing setting for limiting ad tracking.

Additionally, in Android O:

• The ANDROID_ID value does not change when the package is uninstalled or reinstalled, as long as the package name and signing key are the same. Apps can rely on this value to persist across reinstalls.
• If the app is installed on a device running an earlier version of Android, the app's Android ID will remain the same after the device is updated to Android O unless the app is uninstalled and reinstalled.
• The value of the Android ID changes only when the device is factory reset or when the signing key is rotated during an uninstall and reinstall event.
• Only device manufacturers that pre-install Google Play Services and the Advertising ID need to change this value. Other device manufacturers can provide an alternative resettable ID or continue to provide the ANDROID ID.
• Build.SERIAL

To align with the runtime permissions required to access the IMEI, android.os.Build.SERIAL is now deprecated for apps targeting Android O or later. They can instead use the new Android O API, Build.getSerial(), which returns the actual serial number as long as the caller has the PHONE permission. In a future version of Android, Build.SERIAL queried by apps targeting Android O will show "UNKNOWN". To avoid disrupting the normal operation of older apps, apps targeting previous versions of Android will continue to see the same device serial number as before.

Net.Hostname

Net.Hostname provides the network hostname of the device. In previous versions of Android, the default value of the network hostname and the value of the DHCP hostname option both contained Settings.Secure.ANDROID_ID. In Android O, net.hostname is empty and the DHCP client no longer sends the hostname (anonymity-protected personal data) following IETF RFC 7844.

Widevine ID

For new devices running O, the Widevine Client ID will return a different value for each app package name and network origin (for web browsers).

Special system and setup properties

In addition to Build.SERIAL, there are other settings and system properties that are not available in Android O. These include:

• ro.runtime.firstboot: millisecond timestamp of the first boot after the last slide or last boot
• htc.camera.sensor.front_SN: Camera serial number (available on some HTC devices)
• persist.service.bdroid.bdaddr: Bluetooth MAC address property
• Settings.Secure.bluetooth_address: Device Bluetooth MAC address. In O, only applications with LOCAL_MAC_ADDRESS permission can use this property.

Randomize MAC addresses in WLAN probe requests

We worked with security researchers1 to design robust MAC address randomization for Wi-Fi scan traffic generated by the chipset firmware in Google Pixel and Nexus 5X devices. The Android Connectivity team then worked with manufacturers to update the Wi-Fi chipset firmware used in these devices.

Android O integrates these firmware changes into the Android Wi-Fi stack, so devices using these chipsets with updated firmware and running Android O or higher will be able to take advantage of these changes.

Here are some of the changes we've made to the firmware for Pixel, Pixel XL, and Nexus 5x running Android O and above:

• When the WLAN is disconnected from the access point, the phone uses a new randomly assigned MAC address each time it scans for WLAN (regardless of whether the device is in standby mode or not).
• The initial packet sequence number for each scan is also randomly generated.
• Unnecessary probe request information elements have been removed: the required information elements are limited to the SSID and DS parameter set.

Changes in getAccounts API

In Android O and higher, having the GET_ACCOUNTS permission is no longer sufficient to gain access to the list of accounts registered on a device. Apps must use APIs provided by apps that manage specific account types, or the user must grant access to this account through an account chooser activity. For example, Gmail can access Google accounts registered on a device because Google owns the Gmail app, but the user might need to grant Gmail access to information about other accounts registered on the device.

To gain account access, apps targeting Android O or higher should use AccountManager#newChooseAccountIntent() or authenticator-specific methods. Apps targeting lower SDK versions can still use the current flow.

In Android O, apps can also use the AccountManager.setAccountVisibility()/getVisibility() methods to manage the visibility policy of accounts owned by these apps.

Additionally, the LOGIN_ACCOUNTS_CHANGED_ACTION broadcast is deprecated but still works in Android O. Apps should use addOnAccountsUpdatedListener() to get updates on accounts at runtime to get an app-specified list of account types.