Background:
I have an Android APP with millions of users, but some users are malicious users (robot, fake, privilege escaped, etc). The common solution is to detect & block those "bad" accounts controlled by hackers. But, here, I aim to detect & block those hardware controlled by hackers. In another word, "fingerprint" the malicious mobile phone hardware.
Objective:
I want to find a way to uniquely identify each mobile phone device (running my APP), in order to blacklist malicious mobile phone (hardware).
Challenges:
I meet some technical challenges to fingerprint mobile phone. But Google has strict privilege controls due to privacy concern, especially the new Android 10 version.
I summarize the following ways of unique identification:
Permanent IDs (such as IMEI, serial number) need READ_PHONE_STATE permission to access. But from Android 10's design, access is forever DENIED even have READ_PRIVILEGED_PHONE_STATE permission, due to privacy reason.
Semi-permanent IDs (such as device ID) will change if the phone is reset or escaped. Malicious users can reset/escape the phone to avoid detection. Google also provides Advertise ID, GUID, etc.
Variable IDs (such as MAC address) can be easily changed via malicous software by malicious user to avoid detection.
Summary and Question:
I read many websites of strategies how to uniquely identify mobile phone hardware, based on above situations. Most stretegies tell:
- Need to diffrentiate "Android 10" and "Android 9 & below".
- From Android 10, most APPs cannot access permanent IDs (which is the ideal solution). Hence, we need to collect as more information as possible (permanent & semi-permanent & vaiable IDs, etc..), and compute the possibilities (%) of identical mobile phone, even hacker intentionally change some ID values.
Assume malicious users are able to change some IDs, but always do NOT change all the IDs.
I am still looking for better solutions. Please advise your ideas.