Android offers myriad apps that are available for users to download.
Many of these are able to track user behaviours using what is called an advertising ID to deliver personalised promotions.
Users are able to reset their advertising ID that acts in a similar fashion to clearing cookies on a web browser.
Performing such a function means it is harder for future applications to deliver personalised ads based on previous activities.
Instead, once an advertising ID has been reset, a new profile for the user will typically have to be formed from future engagements.
On its terms of usage for Android advertising ID’s, Google recommends they should not be connected with personal identifiers.
The relevant section of the document reads: “The advertising identifier must not be connected to personally-identifiable information or associated with any persistent device identifier (for example: SSAID, MAC address, IMEI, etc.) without explicit consent of the user.”
Personal identifiers are signatures on a user device that are either difficult to alter or cannot be changed.
These include an Android ID, International Mobile Equipment Identity (IMEI) or a MAC address for instance.
While the American tech giant advises against linking the two unless the user provides consent, new research from the International Computer Science Institute, reported by CNET, has claimed around 17,000 apps are connecting identifiers in order to create a permanent activity record of users.
This means the apps in question would be able to deliver targeted advertising, even if the user resets their advertising ID.
The team claimed the information in question was being sent to advertising services.
Serge Egelman, Research Director of the Usable Security and Privacy Group at ICSI who headed the report, said “privacy disappears” when personal identifiers are collected by apps.
The results from the new report were found using Android devices running the Marshmallow iteration of the operating system.
Android 6 Marshmallow remains the most popular version of the software, according to Google’s distribution dashboard.
Some of the apps accused of linking such information were Angry Birds Classic, Audible Audiobooks and Flipboard.
Moreover, a number of programmes from developer Cheetah Mobile were also said to be responsible.
They were Clean Master, Battery Doctor and Cheetah Keyboard.
CNET noted each of the programmes in question have been installed on “at least 100 million devices”.
Egelman’s team reported their findings to Google back in September.
In response, the tech giant said it had acted against some of the apps in question.
However, it was not clarified if this applied to every programme accused of such behaviour.
Moreover, it did not state which, or any, app policies had been violated.
Google clarified for certain purposes, such as fraud detection, making use of some personal identifiers was accepted.
But it was insisted this should not be the case for advertising.
Commenting on the matter, a Google spokesperson said: “We take these issues very seriously.
“Combining Ad ID with device identifiers for the purpose of ads personalisation is strictly forbidden.
“We’re constantly reviewing apps — including those listed in the researcher’s report — and will take action when they do not comply with our policies.”
CNET said it reached out to both Audible and Angry Birds developer Rovio for a comment on the matter.
However, neither responded.
A spokesman for Cheetah Mobile said the utilisation of a user’s Android ID is not used for targeted ads.
Instead it was stated this was used to track app installations.
Finally, Flipboard denied using a user’s Android ID for targeted advertising.