this post was submitted on 16 Feb 2024
29 points (91.4% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

54627 readers
482 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others



Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):


💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 1 year ago
MODERATORS
 

AAAD it's a freemium sideloaded app that allows you to install unofficial apps for Android auto.

At startup it sends some device identifier to his server and checks if you have a license, otherwise goes in trial mode where you can try one app every month.

It doesn't ask any additional permission. No storage, no phone/IMEI and no location. If you uninstall it, somehow it knows you previously downloaded it.

Tried to reset the advertising id, no change

My questions:

  1. How the hell the app is able to fingerprint the user like that, persisting uninstalls?

  2. How to reset the counter?

you are viewing a single comment's thread
view the rest of the comments
[–] 12510198@lemmy.blahaj.zone 8 points 9 months ago (1 children)

I did a internet search on "AAAD" and I found this github repository. I'm not sure if it is the same, but they seem to serve the same purpose and share the same name. I took a look into the code and I saw something about Settings.Secure.ANDROID_ID in AboutPaymentActivity.kt, so I did some searching on that, and according to a person on stackoverflow, Settings.Secure.ANDROID_ID is a ID unique to every app on your phone, this ID will persist across uninstalls and reinstalls. The only reason it should change is if the package name or signing key changes. Also it should be different for different users on the phone, but im guessing it might not be possible to add more users on android auto, im not sure, I've never really used one.

Now, about circumventing it, you could modify the source code and remove the license verification checks and rebuild, but this might not be legal, I'm not to good with legal stuff, but the license had a few words that suggest it might be non-free, but if software licenses arent an issue, feel free! There is also the option of just resigning the apk with your own key, which should change the ID, I believe you can do this in luckypatcher with one click, but lucky patcher is kind of sketchy and might not be able to work on android auto, I dont know much about them.

I hope this helps, im sorry I couldnt find any like anything that could just reset it and be done with it, maybe someone else might chime in with a more helpful answer.

[–] Moonrise2473@feddit.it 5 points 9 months ago (1 children)

Wow, this sucks.

Not for this app because anyway it looks like it's not working on Android 14, but because shady apps can reliably track installs, uninstalls and so on.

[–] 12510198@lemmy.blahaj.zone 3 points 9 months ago (1 children)

I was thinking about that too, I cant think of much this ID is good for other than fingerprinting users. It just sucks that there isnt much of anything that can be done about it without a rooted device or privacy rom.

[–] Moonrise2473@feddit.it 3 points 9 months ago

I was happy that finally Google after android 10 returned an invalid IMEI to all those apps that asked the phone permission for fingerprinting reasons (almost all the Chinese apps like WeChat, taobao, amap, Baidu, required the phone permission and if you denied it, they directly sent you to the uninstall page), then left this huge unpatched & unpatchable hole that doesn't even require a specific permission...