AAAD it’s a freemium sideloaded app that allows you to install unofficial apps for Android auto.

At startup it sends some device identifier to his server and checks if you have a license, otherwise goes in trial mode where you can try one app every month.

It doesn’t ask any additional permission. No storage, no phone/IMEI and no location. If you uninstall it, somehow it knows you previously downloaded it.

Tried to reset the advertising id, no change

My questions:

  1. How the hell the app is able to fingerprint the user like that, persisting uninstalls?

  2. How to reset the counter?

  • 12510198
    link
    fedilink
    English
    arrow-up
    8
    ·
    10 months ago

    I did a internet search on “AAAD” and I found this github repository. I’m not sure if it is the same, but they seem to serve the same purpose and share the same name. I took a look into the code and I saw something about Settings.Secure.ANDROID_ID in AboutPaymentActivity.kt, so I did some searching on that, and according to a person on stackoverflow, Settings.Secure.ANDROID_ID is a ID unique to every app on your phone, this ID will persist across uninstalls and reinstalls. The only reason it should change is if the package name or signing key changes. Also it should be different for different users on the phone, but im guessing it might not be possible to add more users on android auto, im not sure, I’ve never really used one.

    Now, about circumventing it, you could modify the source code and remove the license verification checks and rebuild, but this might not be legal, I’m not to good with legal stuff, but the license had a few words that suggest it might be non-free, but if software licenses arent an issue, feel free! There is also the option of just resigning the apk with your own key, which should change the ID, I believe you can do this in luckypatcher with one click, but lucky patcher is kind of sketchy and might not be able to work on android auto, I dont know much about them.

    I hope this helps, im sorry I couldnt find any like anything that could just reset it and be done with it, maybe someone else might chime in with a more helpful answer.

    • Moonrise2473@feddit.itOP
      link
      fedilink
      English
      arrow-up
      5
      ·
      10 months ago

      Wow, this sucks.

      Not for this app because anyway it looks like it’s not working on Android 14, but because shady apps can reliably track installs, uninstalls and so on.

      • 12510198
        link
        fedilink
        English
        arrow-up
        3
        ·
        10 months ago

        I was thinking about that too, I cant think of much this ID is good for other than fingerprinting users. It just sucks that there isnt much of anything that can be done about it without a rooted device or privacy rom.

        • Moonrise2473@feddit.itOP
          link
          fedilink
          English
          arrow-up
          3
          ·
          10 months ago

          I was happy that finally Google after android 10 returned an invalid IMEI to all those apps that asked the phone permission for fingerprinting reasons (almost all the Chinese apps like WeChat, taobao, amap, Baidu, required the phone permission and if you denied it, they directly sent you to the uninstall page), then left this huge unpatched & unpatchable hole that doesn’t even require a specific permission…