Any vulnerability to exposing Unique Android Device ID?

Question

I have written an Android App which uses the following methods for generating an Android Unique Device ID. I assume this ID is unique to each device, independent of the apps installed on it. I also assume the same ID can be generated on the device even if the app is uninstalled/installed several times: Is there a unique Android device ID?

Code:

private String android_id = Secure.getString(getContext().getContentResolver(), Secure.ANDROID_ID); 

Code:

final TelephonyManager tm = (TelephonyManager) getBaseContext().getSystemService(Context.TELEPHONY_SERVICE);

    final String tmDevice, tmSerial, androidId;
    tmDevice = "" + tm.getDeviceId();
    tmSerial = "" + tm.getSimSerialNumber();
    androidId = "" + android.provider.Settings.Secure.getString(getContentResolver(), android.provider.Settings.Secure.ANDROID_ID);

    UUID deviceUuid = new UUID(androidId.hashCode(), ((long)tmDevice.hashCode() << 32) | tmSerial.hashCode());
    String deviceId = deviceUuid.toString();

Are there any security vulnerabilities if this value is exposed publicly? Can GCM IDs for push notifications be generated based on these values? Can a reverse lookup be used to identify an individual? Can these be used to extract information about individuals from phone carriers?

Answer 1

Are there any security vulnerabilities if this value is exposed publicly?

As far as I know, there are no definite risks about the vulnerabilities on using this ANDROID_ID, but there is a flaw when using it as a unique identifier and I found it in this link.

ANDROID_ID seems a good choice for a unique device identifier. There are downsides: First, it is not 100% reliable on releases of Android prior to 2.2 (“Froyo”). Also, there has been at least one widely-observed bug in a popular handset from a major manufacturer, where every instance has the same ANDROID_ID.

It is quite old but there are no updates regarding this one up til now.

 

Can GCM IDs for push notifications be generated based on these values?

GCM servers are the one that generates the ids being used. I don't think it would be possible to influence how the IDs generate.

 

Can a reverse lookup be used to identify an individual? Can these be used to extract information about individuals from phone carriers?

Regarding these two questions, I do not have much knowledge about these two but I found this How reverse phone lookup link that might be helpful.

If you've ever looked at a phone number on Caller ID and wondered whose number it is, reverse phone lookup is for you. You can find out the person's name and address by using free reverse phone lookup or reverse phone directories available on the Web.