This article is from the public number: minority , author: Noah_Choi, Picture from: Picture Bug Ideas
In the afternoon, I talked with my colleagues on WeChat about the Air Pods Pro experience, and started to tell you the real story in the evening; I was curious, I searched the search engine for cat tips, and opened the Taobao homepage. The recommendation came out of the cat litter cat cat climbing frame … There may even be “absolutely impossible” situations. The mobile phone seems to overhear you and your friends know what you think.
These situations are the actual rendering of ad tracking.
Although respect for user privacy and ad tracking data has become an important part of the iOS and Android system feature updates in recent years, in the absence of Google and the mixed domestic Android ecosystem, personal privacy is still obtained through various advertising tracking methods. Looks like a capsule. The OAID we are going to introduce today is the latest of many ad tracking methods.
ID system: you are just a string of code
To understand OAID, we must first understand the ID system: To track a user, we must first find the user. In the process, the identifier (ID ) Just like our other ID cards, they represent you and me after digitization.
Different apps may force you to be tracked through some unique identifiers, and the advertising platform will use this unique identifier to portray user portraits of you, and then share them with related apps and their backends. Once “you” opens them, App, then you will be recognized-what you ordered, what you have seen, what you may need, they are clearer than yourself.
![]()
There are many different kinds of identifiers in the ID system of smart devices. Here are a few IDs in Android devices, which may be used for tracking or identification in different aspects:
IMEI
IMEI should be the ID most familiar to everyone. It is the ID card of the mobile phone, and the code for the operator to identify the information of the network access device. It is a permanent identifier that cannot be reset, and its scope is device.
In terms of ad tracking, due to iOS’s permission control, third-party apps on iOS cannot track users through IMEI, but most apps in the Android platform are currently (Especially in China) All users are tracked through IMEI. Most of the examples mentioned in the opening chapter are also implemented through IMEI tracking.
A IMIM-like identifier is similar to IMEI, but it is mainly used for SIM card identification. It will not be expanded here.
Android ID (SSAID)
As the name implies, Android ID is a kind of “semi-permanent identifier” that does not depend on hardware in Android devices. It will not change during the system life cycle, but it will change after the system is reset or flashed. Related applications.
Android Developer Documentation and Google Developers Chinese Blog explain the privacy and SSAID changes after Android 8.0:
A description of Android 8.0 privacy changes in the Android developer documentation:
![]()
It is not difficult to see from the figure that after Android 8.0, the Android ID obtained by signing different apps (SSAID) is not the same , But the same developer can associate different apps developed based on their own digital signature.
Device ID
On the Android platform, Device ID is a collective term. All hardware-related IDs can be referred to as Device IDs. Generally, they are non-resettable permanent identifiers that are scoped to devices.
Depending on the device, manufacturer, or app calling requirements, reading the Device ID may return IMEI or other hardware codes, but it may not be possible to obtain the Device ID or return an invalid value because there is no related hardware in the device; Correspondingly, there is a similar permanent identifier called UDID in iOS devices. But after iOS 6, Apple has not allowed apps that require UDID to be listed on the App Store to prevent this non-resettable ID from being used for tracking or Abuse, replaced by IDFA identifiers, which are iOS device advertising identifiers.
There is also a unique device identifier called openUDID, which can be used in iOS and Android systems, but it is not officially provided by the systemThe ID system depends on third-party App generation, so it is not widely used. As the system iteratively upgrades, openUDID is gradually marginalized or even abandoned.
UUID, GUID
UUID is also called instance ID. These two IDs can be said to be universal identifiers in the computer system.
The meaning varies slightly depending on the object you are targeting. If the first three IDs can be used to identify the device, the role of these two IDs in the Android system is mainly to identify App processes, elements, or data.
Because their scope is only within a single app, if the user uninstalls and reinstalls the app, the UUID will also change. However, app developers can achieve “quasi-permanent” UUID identifiers by storing UUIDs or combining, binding, and calculating with other IDs and user information.
According to Android Developer Guide:
The easiest and clearest way to identify an application instance running on a device is to use the instance ID, which is the recommended solution in most non-advertising use cases. This identifier can only be accessed by application instances that have been configured specifically, and it is easy to reset the identifier (relative) because it exists only in Application installation period.
As a result, instance IDs have better privacy attributes than device-level hardware IDs that cannot be reset.
AAID
AAID is the same as IDFA-IDFA is an ad tracking ID in the iOS platform, and AAID is used in the Android platform.
They are non-permanent, resettable identifiers that are specifically provided to apps for advertising behavior. Users can reset this type of ID at any time, or turn off personalized ad tracking through system settings. However, AAID relies on the Google services framework, so if the phone does not have the framework built-in, or the framework is incomplete, or cannot be connected to relatedServices, these conditions may make AAID unavailable.
In addition to these ID identifiers above, some hardware IDs (such as MAC addresses) may also be used for tracking.
Ad Tracking for Android in China
There are so many ID identifiers, each with its own role. In theory, only AAID and IDFA are really used for advertising behavior.
But this is clearly not the case.
On the one hand, many apps on the Android platform generally violate Android development specifications, bypass Google Play censorship, and track users through abuse of IDs to serve commercial interests such as advertising traffic and marketing analysis.
On the other hand, because AAID relies on the Google services framework, but it is not feasible to use Google services in China, or most of the Bank of China ’s mobile phones have incomplete Google services. App developers need to find another way to identify users .
The scope of UDID and GUID is too small to be suitable for ad tracking; Android ID can be changed in some ways or unavailable due to bugs, and third-party apps have no guaranteed usability; although the MAC address is accurate, it has been Android 6.0 (API 23) to Android 9 (API 28) , the system Limited third-party APIs to obtain MAC addresses; coupled with earlier, most “non-player users” didn’t have much concept of such functions. In order for third-party apps to track users in a more precise and durable way, IMEI becomes the preferred ID for ad tracking (In the Google Play Help Center, getting a permanent identifier is a conditional, next-to-none ad Delivery method, so this method is not completely illegal until then) .
![]()
Related instructions in Google Play Help Docs
This is also the reason why we see many apps prompting to obtain the “phone” permission to run-because IMEI must obtain the “phone” permission, but this also brings some privacy issues: allowing the “phone” permission may As a result, the app reads a lot of other information, like I need you to give me an ID card to look up the ID number, but at the same time your name, address, and birthday are also exposed to me.
We can check the permissions, resources and privacy information that some apps may need on this website. For example, WeChat, in version 6.7.3 included in the website, WeChat obtained the following permissions, but did not detect the sending of the following privacy data.
![]()
Permission required for WeChat 6.7.3 version
![]()
Wechat version 6.7.3 did not send the above privacy information (the gray dashed box mark is not detected)
(API 29) Finally, obtain non-resettable permanent device identifiers for third-party apps. (You You can test it with My IMEI app) .
![]()
Apps cannot get IMEI information in Android 10
OAID: Alternative after Android 10
At this point, domestic apps and advertising tracking services urgently need an alternative solution to avoid the loss of advertising traffic, and OAID has been born.
Instructions for Android 10 Restricted Device Identifier Reading in Android Developer Documentation
The description of Android 10 restricted device identifier reading in the Android developer document. The essence of OAID is actually a kind of “rescue” domestic mobile advertising that is used in the Bank of China system and responds to the Android 10 restricted reading IMEI. The advertising tracking identifier is behind the Mobile Security Alliance (Mobile Security Alliance, MSA) .
The alliance is chaired by the China Academy of Information and Communications Technology as the chairman and secretary-general unit, and Peking University, vivo, 360, and Huawei as vice-chairman units. The identifier system to which OAID belongs is also led by the alliance.
![]()
Illustration of supplementary equipment identification system
According to the Alliance’s official website and development documentation, this “localized” identifier system includes four identifiers in addition to OAID, UDID, VAID, and AAID.
I know what you’re thinking, but the UDID and AAID here are completely different from those mentioned in the previous section.You can understand the four types of identifiers stipulated in the “Mobile Intelligent Terminal Supplementary Device Identification System” and the interface development methods for obtaining them. In addition, you can also download the SDK development instructions on the MSA official website or the developer website of the member unit.
![]()
Supplementary equipment identification system
![]()
Supply device identification system acquisition interface
From the description and functions of these four identifiers, we can roughly determine that the UDID, OAID, VAID, and AAID specified in the “Mobile Intelligent Terminal Supplementary Device Identification System” correspond to the Device ID ( For example, IMEI, or UDID corresponding to iOS devices) , AAID, SSAID, UUID (or GUID) .
In an ideal state, the introduction of OAID will ensure the normal operation of the advertising platform and reduce the impact on users, because third-party apps do not need to request permission to use OAID to complete advertising activities, and the process is anonymous, The user can also reset the OAID at any time.
From the press release issued by the advertising service provider Adjust on December 20, 2019, we can also know that Adjust has access to the OAID advertising identifier and can provide advertising-related services to advertisers in mainland China; domestic advertising data The service provider ’s smart data also provides OAID matching guides in its help documents; Huawei provides OAID-based “HUAWEI Ads OAID” advertising platform access guides on its developer platform.
![]()
A brief introduction to OAID in the help document by Shenshen Data
In fact, mainstream mobile phone manufacturers have already provided Android 10 adaptation guidelines on their developer platforms, including Samsung China Developer Website, Huawei Developer Alliance, OPPO Open Platform, and vivo Open Platform. Relevant changes have been explained and suggested solutions, including Google ’s official identifier adaptation suggestions and OAID adaptation methods.
![]()
OPPO open platform references Android developer documentation as recommendedMatching plan
![]()
MSA documentation is cited as one of the recommended solutions on Samsung China Developer Website
In addition, OPPO and vivo have also provided relevant documents and SDK downloads for the “Mobile Intelligent Terminal Supplementary Device Identification System” on their open platforms.
It is not difficult to see that the advertising platform has begun to access OAID as a recommended solution for domestic advertising identifiers, and mainstream device manufacturers have also begun to guide developers to adopt the “mobile smart terminal supplementary device identification system” and take into account domestic mainstream applications. Preset and distribution platform (such as the built-in application store of mobile phone manufacturers) Like Google Play, they have imposed mandatory API levels for listed apps. The identifier system including OAID will undoubtedly become the mandatory standard for domestic third-party apps.
Summary
Finally, from a user’s perspective, how should we look at OAID?
Android has been working hard on security and privacy, and it is precisely because of the drastic action of Android 10 that unique identifiers such as IMEI are no longer abused, but looking at the domestic market, in the environment where Google services are still not working properly The introduction of localized system standards to take into account user privacy and security and the interests of advertising channels can actually be said to be an improvement. Similar measures include “mutual transmission alliance”, “uniform push”, and so on.
But even if the system is an optimal solution in the current environment, for a long time, what the domestic Android ecosystem really needs is not only this mandatory standard, but also mobile phone manufacturers and App development.Self-management at the source.
This article is from the public number: minority , author: Noah_Choi, Picture from: Picture Bug Ideas