0

I've an android app available on google play with around 5k daily users.
I'm having a weird error related to firebase auth, it is something not common so please read carefully before jumping into conclusions:

I use Android_ID as user identifier for the users of my app Settings.Secure.getString(getContentResolver(), Settings.Secure.ANDROID_ID)

I do know it is not the best idea, but it fits my requirements because it is unique, everyphone has one and it is impossible to change (i supose). So i use it to authenticate my users in firebase this way i can write firebase rules that block users from seeing data of other users based on their ANDROID_ID

BUT SOME USERS ARE GETTING ACCESS DENIED WHEN TRYING TO READ THEIR OWN DATA...

That looks super weird and the first idea is that there is a bug in my code, but after debugging a lot i couldn't find any error so i started loging the requests

and my logs showed something like this

D/CrashlyticsCore check firebase access denied: device_id: e4c511c3-8ed7-3430-b3b0-e16d56acd2ad auth: da190696-e4bc-32f9-b229-eb24631a39fc

this message is saying that the user was authenticated with: da190696... but know its id value is: e4c511c3...

I also noticed that the deny of access usually happens after app was minimized

so the question is: are there any explanation for this? is it possible to user change the device_id on an unrooted device? is it possible somehow it is been randomized by android?

Rafael Lima
  • 3,079
  • 3
  • 41
  • 105

2 Answers2

1

You shouldn't use Settings.Secure.ANDROID_ID for this. Read this for more information. The value can change in a variety of circumstances.

You also said that "i can write firebase rules that block users from seeing data of other users based on their ANDROID_ID". This can't possibly be secure, as the client has no obligation to provide the intended value to Firebase. Someone could compromise your app or the device to send any value that they want.

If you need to securely identify a user, use the Firebase Authentication UID for this. It is guaranteed to be unique and never change for that user. It can also be used across the user's devices.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • One of my requirements is to NOT have a signup flow, so i do need to track users "ownership" without knowing very much about the user... my solution is far from the best at the security perspective... but this dont answer my question how is this value changing in a non rooted device during runtime... Other ID i though about using was IMEI, but android shows a very scary message to users when we ask to read the imei – Rafael Lima May 13 '19 at 03:45
  • Then use anonymous accounts with Firebase Authentication. No UI is needed to create an anonymous account. You just won't be able to share these accounts across devices until the user decides to sign in. These accounts will not survive device reset or app uninstall, but at least they are reliable for writing security rules. – Doug Stevenson May 13 '19 at 03:46
  • The question of whether or not ANDROID_ID can change is answered in the link I provided. The answer is yes. – Doug Stevenson May 13 '19 at 03:47
  • thanks for your suggestion but i'm still missing something... all the sources say it will change on factory reset or some rooted devices... i'm getting those changes in non rooted devices without any reset (while the app is running). I've used anonymous auth from firebase but i must keep uid after app unninstall and it doesn't allow me – Rafael Lima May 13 '19 at 21:52
  • It sounds like you're trying to satisfy a list of overly-strict requirements. Apps can't leave residual data on a device. That's generally considered a security problem. The user needs to have some assurance that they can fully remove an app and all its data. – Doug Stevenson May 13 '19 at 21:59
  • is not a list of "overly-strict requirements" is just two simple requirements: i dont want to create a sign-up flow... uid must not change even on app unninstall... – Rafael Lima May 13 '19 at 22:10
  • Yes, simple. But still strict. What you're asking is for a way for your app to bypass the normal security restrictions provided by modern mobile devices. If you loosen the requirements, this is very doable. – Doug Stevenson May 13 '19 at 22:28
  • @DougStevenson , I have one doubt , please help me on that, How to get the unique ID of the user which can not change even wipe out data from the device, I heard about the "Advertisement ID", is it solve my problem, Please help me on it. Thanks – Ravindra Kushwaha Oct 21 '20 at 06:42
1

To specifically answer the can user change the ANDROID_ID on an unrooted device? question:

On devices running with Android API level lower than 8.0, there's a single ANDROID_ID per user. It can be changed using: 

# assuming we want to change user 0's ANDROID_ID
$ adb shell settings get --user 0 secure android_id
77aac9d1f119cb8f  
$ adb shell settings put --user 0 secure android_id aaaaaaaabbbbbbbb
$ adb shell settings get --user 0 secure android_id
aaaaaaaabbbbbbbb

We can use the same technique to change the ANDROID_ID on Android 8.0 (and later) devices, however there it can be seen only by system processes.

Alex Lipov
  • 13,503
  • 5
  • 64
  • 87
  • This only works in adb shell. it really changes the android_id but when you try to fetch this via code it does not return the android_id which we set via command above but it returns the default android_id – Qadir Hussain May 28 '23 at 18:32
  • @QadirHussain Have you noticed the Android 8.0 caveat? – Alex Lipov May 29 '23 at 06:36
  • I tried these commands on Android naugat emulator and it worked. previously I was trying the these commands on Emulator with Android 13 which looks like doesn't have root access (rooted device). – Qadir Hussain May 29 '23 at 08:04