Have you ever wondered how mobile apps always seem to recognize you, even when you’ve never created an account or provided your email? That experience isn’t magic; it’s often the result of mobile app fingerprinting and other invisible tracking techniques.
For mobile app developers, AppSec leaders and enterprise mobility managers, this capability poses more than a privacy concern — it can introduce real business and compliance risk. Whether purposeful or inadvertent, fingerprinting occurs when apps combine analytics, advertising and telemetry data in ways that uniquely identify a mobile device or user and track activity and behavior.
As developers add features to personalize experiences or connect data across services, they may unintentionally expose enough signals to create a digital fingerprint that reveals user identity, behavior patterns or even location. This exposure can undermine privacy expectations, violate regulations and increase enterprise liability.
The following investigation demonstrates how easily this can happen (even in well-known apps) and why every organization building or approving mobile apps needs to understand the risks of fingerprinting.
Seemingly harmless app data points can combine to form a persistent digital fingerprint that exposes users and enterprises to privacy risk.
Testing How Apps Track You
To explore how mobile app fingerprinting and device tracking work, I selected three random apps from the Google Play Store:
- Duolingo – A popular language learning app
- Tubi – A free video streaming app
- Block Puzzle – A free mobile game from Staple Games
I installed these three applications on an Android device, configured Burp Suite to intercept network traffic and observed the data each app transmitted.
Duolingo
Immediately after launching Duolingo, I noticed an extraordinary amount of data being sent — dozens of network requests before I even tapped a single button.
Because fingerprinting in mobile apps is often subtle, I wanted to see if any of these requests could be used to build a profile or digital fingerprint. At this point, I had not logged in or entered any personal information.
The first thing I noticed was several requests containing what looked like a user ID in the URL.
Even without logging in, the app had created a unique user ID for me, likely tying all my activity to that identifier. This ID persisted after closing and relaunching the app but changed after reinstalling it.
So what is Duolingo doing with this tracking ID? It appears the app uses it mainly to track learning progress and in-app activity as expected for a personalized experience. However, I also observed several encrypted POST requests transmitting frequently during use. The responses simply confirmed that a certain amount of events were submitted successfully.
This data could be related to app diagnostics or user analytics, but the frequency and encryption make it impossible to know exactly what’s being sent.
Tubi
When I opened Tubi, even more network traffic appeared than with Duolingo, which makes sense for a streaming platform.
Within the network traffic, I found requests containing client logs. Most seemed normal, but the headers included a JSON Web Token (JWT) with a “tubi_id” field. Just like Duolingo, Tubi had assigned me a unique user ID and tied all my app activity to it, despite no login or registration.
This ID did not persist after reinstalling the app. However, I found another identifier that did — an advertiserID. At first, I wasn’t sure whether this ID represented me, my device or the developer, so I moved on (but we’ll come back to it.)
Tubi also sent requests to Branch, a popular marketing and analytics SDK. These requests included device details such as my connection type (Wi-Fi) and local IP address. While this may seem minor, even limited network information can be used in device fingerprinting and tracking.
It is unclear how Tubi is using the data, but it raises the question — why collect so much identifying information in the first place?
Block Puzzle
Next, I examined the Block puzzle mobile game. Free mobile games are often filled with ad tracking SDKs and have a reputation for predatory monetization tactics, so I was curious what I’d find.
As expected, the game sent requests to Unity Ads, the monetization platform integrated with the Unity game engine. These requests included extensive device information such as brightness, battery level, headset use, memory and storage — all of which contribute to device fingerprinting and targeted advertising.
There were also several requests being sent to another Unity Ads endpoint that included large amounts of encoded data. While I couldn’t determine exactly what this data contained, each request also included an “idfi” value — a unique identifier assigned to my device.
This value appeared repeatedly across multiple other network requests sent by the app, further demonstrating how even without logging in or creating an account, the application had generated a persistent user identifier and was associating my activity with it. This is a clear example of mobile app fingerprinting, where seemingly harmless data points combine to create a unique digital profile that can track a user or device over time.
The game also communicated with Facebook endpoints, even though no Meta apps were installed on the device. Most of this traffic consisted of simple GET requests and encrypted POST requests.
In addition, the app sent traffic to numerous advertising and analytics SDKs, including Applovin, Appflyer, Inner Active, Moloco, Google and Amazon. This shows how heavily many free apps rely on mobile ad tracking to generate revenue.
While most traffic was encrypted, I discovered several instances where the app transmitted my public IP address, which can reveal your general location, a much bigger privacy concern than local IP logging.
The Role of Advertising IDs and Device Identifiers
While analyzing Block Puzzle, I found another request to an Amazon Advertising endpoint containing a familiar identifier — the same advertising ID I’d seen in Tubi’s traffic.
When I checked Duolingo again, I found the same ID referenced in a request to Google Ad Services. This value persisted across all apps, even after uninstalling and reinstalling them.
It turns out this identifier is your Android device’s advertising ID, a key part of mobile tracking and fingerprinting. You can find it under the “Ads” section in your Android privacy settings.
You can reset or delete this ID, which breaks the link between your past and future activity. However, this does not stop ads altogether, it simply makes it harder for advertisers to build a complete digital profile of your device.
After deleting the advertising ID, I noticed all app requests replaced the ID with zeros, confirming that apps rely heavily on this value for tracking.
How to Limit Mobile Tracking and Fingerprinting
If you’ve made it this far, you’re probably wondering: Can I stop this tracking? Should I stop it?
That depends on how much you value your privacy. You can continue using ad-supported apps and accept that mobile fingerprinting and data collection are part of the ecosystem — or you can take steps to reduce your exposure.
Here are a few ways to limit mobile tracking:
- Reset or Delete Your Advertising ID
- On Android, go to Settings → Privacy → Ads to reset or delete your Advertising ID.
- On iPhone, disable personalized ads under Settings → Privacy & Security → Apple Advertising.
This doesn’t block ads, but it makes tracking harder.
- Use Network-Wide Ad Blockers for Stronger Protection
Browser-based ad blockers work well for websites, but they don’t affect in-app advertising. To block ads within mobile apps, consider network-wide ad blocking tools such as Pi-hole or AdGuard. These solutions filter traffic at the DNS level and prevent requests to known advertising or tracking domains.
This option requires some additional hardware investment and setup that would probably be more than it is worth if someone isn’t already technically inclined. It is effective, but it probably requires more effort than it would be worth for the average person.
As an experiment, I set up Pi-hole on a Raspberry Pi. When I reopened Block Puzzle, nearly all the previous ad network traffic — including Applovin, Inner Active, and Amazon — was blocked.
Network-level ad blocking is the most effective defense against mobile tracking and fingerprinting, though it only works on devices connected to that network. Using a VPN routed through your home network can extend these protections when you’re away from home.
Protect Your Enterprise from Inadvertent Fingerprinting Risk
As mobile apps grow more complex, combining analytics, ads and behavior-tracking tools can unintentionally create fingerprints that identify users and expose private data. Enterprise teams from developers to AppSec and privacy reviewers should proactively test and monitor for these risks before release.
NowSecure Privacy provides visibility into how mobile apps collect, share and transmit sensitive data. It combines static, dynamic and network testing to uncover hidden leaks, risky SDKs and unauthorized data flows then maps the results for audit-ready reporting. Discover how integrating continuous privacy testing into DevSecOps pipelines reduces manual effort, expedites compliance and protects brand trust.
