Technical Report: On the Effectiveness of Fingerprinting Mobile Devices

Thomas Hupperich, Marc Kührer, Thorsten Holz, Giorgio Giacinto

TR-HGI-2015-002, Ruhr-Uni­ver­si­tät Bo­chum, Horst Görtz In­sti­tut für IT-Si­cher­heit (HGI), December 2015


Client fingerprinting techniques enhance classical cookie-based user tracking to increase the robustness of tracking techniques, e.g., in cases where a user regularly deletes cookies. A unique identifier is created based on characteristic attributes of the client device and then used for deployment of personalized advertisements or similar use cases. Whereas fingerprinting performs well for highly customized devices (especially desktop computers), these methods often lack in precision for highly standardized devices like mobile phones and tablets.

In this work, we show that widely used techniques do not perform well for mobile devices yet, but that it is possible to build a fingerprinting system for precise recognition and identification. We evaluate our proposed system in an online study and verify its robustness against misclassification. Fingerprinting of web clients is often seen as an offence to web users’ privacy as it usually takes place without the users’ knowledge, awareness, and consent. Thus, we also analyze whether it is possible to outrun fingerprinting of mobile devices. We investigate different scenarios in which users are able to circumvent a fingerprinting system and evade our newly created methods.