Skip to main content
← Back to Blog
Technical Deep Dive·10 min read·

Device Fingerprinting on Mobile: How SDKs Track You Across Apps

A technical deep-dive on mobile device fingerprinting in 2026 — advertising IDs, SDK-based fingerprinting, Apple ATT workarounds, and what you can actually do about it.

#mobile fingerprinting#IDFA#GAID#ATT#SDK#technical

Quick answer

Mobile tracking in 2026 has shifted from identifier-based (IDFA on iOS, GAID on Android) to fingerprint-based (device model, OS version, carrier, timezone, installed apps, battery, accelerometer quirks). Apple's App Tracking Transparency and Google's Privacy Sandbox for Android raised the floor, but fingerprinting remains effective and widely deployed via SDKs you have never heard of, embedded in apps you use daily.

The identifier era (pre-2021)

IDFA (iOS) and GAID (Android) are device-level advertising identifiers, accessible to any app. Before ATT, any SDK could read IDFA and stitch together a user's behaviour across every app that embedded the SDK. Ad networks (Meta, Google, AppLovin, Unity, ironSource) all used this to attribute ad impressions to downstream activity.

The post-ATT landscape

April 2021: Apple's App Tracking Transparency. Apps must prompt for permission before accessing IDFA for tracking. ~75% of users decline. IDFA becomes zeros for those users. Ad networks lost a significant chunk of deterministic attribution overnight.

Google Android followed in 2023-2024 with Privacy Sandbox for Android: SDK-level runtime, ad-network collaboration APIs, advertising ID restrictions in newer Android versions.

Fingerprinting as the workaround

With identifiers gone, SDKs turned to probabilistic fingerprinting. Features typically collected:

  • Device model, OS version, build number.
  • Screen dimensions, pixel ratio.
  • Battery level and charging state (on older iOS).
  • Timezone, locale, carrier.
  • Installed apps (limited on iOS; open on older Android).
  • Accelerometer / gyroscope noise profiles.
  • Audio / graphics benchmarking quirks.
  • Network signature (IP, ASN, inferred connection type).

Combined, these produce a fingerprint unique enough to re-identify a device across app boundaries with 70-95% confidence — officially disallowed by Apple's policy, widely practised in 2026.

Apple's response

Apple has increased enforcement: app-privacy reports visible to users, rejections for apps using fingerprinting for tracking, SDK audits. But detection is imperfect; fingerprinting SDKs are disguised as "anti-fraud" or "device intelligence" and persist on the App Store.

SKAdNetwork and Privacy Sandbox

Apple's SKAdNetwork (SKAN) provides privacy-preserving attribution — the ad network learns that a conversion happened but not which user. Google's Android Privacy Sandbox aims to provide similar guarantees. Adoption is growing but covers only sanctioned flows.

What users can do

  • Decline App Tracking Transparency prompts. This does not block fingerprinting but denies the identifier channel.
  • Review app permissions — settings > privacy > location / contacts / camera / microphone / motion / local-network.
  • iOS Lockdown Mode for high-threat users.
  • On Android, use a degoogled ROM (GrapheneOS, LineageOS) if practical. Regular Android offers less.
  • Limit install surface. Every app is a potential fingerprinting source.
  • Audit app-privacy reports on iOS 16+.

Related reading

Browser fingerprinting · Data brokers · GeraCompliance — GDPR on mobile