BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//cfp.pass-the-salt.org//pts2025//talk//BT3FTH BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-pts2025-BT3FTH@cfp.pass-the-salt.org DTSTART;TZID=CET:20250703T161000 DTEND;TZID=CET:20250703T163000 DESCRIPTION:Android is the dominant mobile operating system\, powering more than 70% of the global mobile market and presenting a significant opportu nity for user tracking. As privacy regulations tighten around how personal data can be used and collected\, trackers are looking for alternatives th at are under less scrutiny to evade detection. Device fingerprinting has e merged as a key solution\, allowing trackers to create identifiers without user consent in a stealthy manner. Despite the extensive research on fing erprinting done from a web browser in the past decade\, device fingerprint ing on Android remains relatively understudied\, with limited literature e xploring its specific techniques and implications for user privacy.\n\nIn this study\, we introduce EXADPrinter\, a novel exhaustive permissionless device fingerprinting framework targeting Android devices. Without requiri ng permissions\, our framework extracts over 200\,000 properties per devic e by leveraging methods such as Java reflection and execution of shell com mands. Through a dedicated Android application and a 6-month data collecti on\, we gathered over 1151 fingerprints coming from 833 different Android devices\, covering 41 manufacturers and 7 Android versions ranging from 9 to 15.\n\nThrough our framework\, we demonstrate that diverse data can be collected about the device hardware\, the operating system running on it\, and the user\, without requiring special permissions. We show that combin ing a few attributes without any IDs or personal information is enough to uniquely identify each device of our dataset\, painting a bleak picture of the current state of the Android ecosystem.\nMoreover\, our framework hig hlights the negative impact of custom operating systems and manufacturer-s pecific customizations as they enhance the device fingerprinting effective ness. Furthermore\, EXADPrinter uncovers some leakage of sensitive informa tion caused essentially by manufacturer customizations\, including the exp osure of user emails\, emergency contacts\, and persistent identifiers suc h as SIM identifiers. DTSTAMP:20260512T170250Z LOCATION:Amphitheater 122 SUMMARY:EXADPrinter: Exhaustive Permissionless Device Fingerprinting Within the Android Ecosystem - Sihem Bouhenniche (University of Lille - Inria) URL:https://cfp.pass-the-salt.org/pts2025/talk/BT3FTH/ END:VEVENT END:VCALENDAR