os-issue-tracker icon indicating copy to clipboard operation
os-issue-tracker copied to clipboard
verified publisher icon GrapheneOS

Require user permission to access Media DRM ID

Open de0u opened this issue 2 years ago • 10 comments

This discussion (which cites this web site and this blog post) claims apps can access a tracking i.d. which persists until a factory reset. Here is a scrap of Google documentation which appears to concur.

Would it be possible to restrict app access to the MediaDrm ID? It seems as if most apps don't have a legitimate reason to access it.

de0u avatar Jul 12 '23 16:07 de0u

This StackOverflow answer: Android 10: IMEI no longer available on API 29. Looking for alternatives suggests the Widevine Media DRM i.d. persists across factory reset on some phones, including, allegedly, a Pixel 4a.

de0u avatar Jul 19 '23 20:07 de0u

Would it be possible to restrict app access to the MediaDrm ID? It seems as if most apps don't have a legitimate reason to access it.

Yes, this is a planned feature.

muhomorr avatar Jul 21 '23 10:07 muhomorr

That's great news. And thanks for taking the time to update the issue!

de0u avatar Jul 21 '23 18:07 de0u

(For information, or confirmation) I used the latest release from https://github.com/fingerprintjs/fingerprintjs-android on a Pixel 8 (GPJ41 model).

I used the app before the factory reset, after a first one (with Erase all data under GOS), and after a second one (in recovery mode).

On the app, under the Device ID tab, for at least version 5:

The string Media DRM ID has never changed since the first use of the app. (The Your Device ID string is the same string as Media DRM ID.)

On the app, under the Device Fingerprint tab:

The Your Device Fingerprint string (V5, Stability level set at Stable) has never changed since the first use of the app.

Balbaroo avatar Nov 10 '23 01:11 Balbaroo

To add a bit more to this: Snapchat is a widely popular app in the United States and other countries which uses MediaDrm on Android to track its users. [...] They have something called a 'device ban' which takes advantage of the MediaDrm ID. [...] Once you are device banned from Snapchat, the MediaDrm ID is stored on Snapchat's servers permanently. You will not be allowed to use Snapchat anymore because Snapchat repeatedly contacts its servers for the MediaDrm ID.

Not to turn this issue thread into a discussion forum, but is it possible to provide a link to some sort of documentation that Snapchat uses the Media DRM i.d. on Android for tracking and banning in this fashion? The claim is not implausible, but evidence is always good when available.

de0u avatar Aug 18 '24 20:08 de0u

This paper:

Your DRM Can Watch You Too: Exploring the Privacy Implications of Browsers (mis)Implementations of Widevine EME Patat, Sabt, and Fouque Proceedings on Privacy Enhancing Technologies 2023(4), 306–321 https://petsymposium.org/popets/2023/popets-2023-0112.pdf

...indicates (Section 4.3, Section 5.1) that the W3C believes it is the responsibility of web browsers to warn users about DRM-related persistent identifiers. It also presents experimental evidence suggesting that the EME "Client ID" persists for at least months on mobile devices. Interestingly but unsurprisingly, on-device apps have more access to properties than web apps (Section 8.3). The issue of factory resets or OS installs does not appear to have been investigated in this study.

de0u avatar Dec 30 '24 01:12 de0u

For example, if there is a dating app, and they want to fight scammers, fingerprint is a good idea to detect fraudulent devices. To make sure fingerprint can't be reused by other services, 3rd parties, we can encrypt it securely before sendint to backend. Even if backend is compromised, that fingerprints can't be used to identify the device by others.

JenyaKirmiza avatar Apr 03 '25 19:04 JenyaKirmiza

It would be more useful to present the user the option to use a previous drm_id (if they dont want to hide, hiding can leak information - for example if they login to the same account later the spoofing will be noted) or to generate a fresh one.

learnwayback avatar Nov 28 '25 08:11 learnwayback

For example, if there is a dating app, and they want to fight scammers, fingerprint is a good idea to detect fraudulent devices. To make sure fingerprint can't be reused by other services, 3rd parties, we can encrypt it securely before sendint to backend. Even if backend is compromised, that fingerprints can't be used to identify the device by others.

This makes no sense, an encrypted fingerprint send to a backend can be used by other services, and this message is irrelevant to the issue anyways.

kasia-de avatar Dec 08 '25 17:12 kasia-de

For example, if there is a dating app, and they want to fight scammers, fingerprint is a good idea to detect fraudulent devices. To make sure fingerprint can't be reused by other services, 3rd parties, we can encrypt it securely before sendint to backend. Even if backend is compromised, that fingerprints can't be used to identify the device by others.

This makes no sense, an encrypted fingerprint send to a backend can be used by other services, and this message is irrelevant to the issue anyways.

no, it can't be used cause they don't know the original Media DRM and the way it was encrypted

JenyaKirmiza avatar Dec 08 '25 19:12 JenyaKirmiza