Have you ever had this experience: You just searched for a pair of Crocs on a social media app the day before, and the next day, you saw a recommendation for this pair of shoes on an out-of-reach shopping app...
You start to panic, recalling whether you mentioned this pair of shoes in the second app.
After confirming that there is no such thing, you start to guess: either "these two companies must have secretly transferred my data back and forth", or "that's it, the phone microphone is eavesdropping on me".
Although the above two operations are quite outrageous, especially the microphone eavesdropping, which can easily expose the secrets and reveal the secrets by grabbing the packets, but when thinking about the lower limit of Internet companies nowadays, Shichao does not dare to vouch for them.
But what I want to talk about today is that advertisers actually have a more secretive and safer way to push a pair of Crocs to you across the app:
It just requires the app to recognize "your phone".
For example, if a mobile phone searches for Crocs shoes in the A software, the flavor will be recorded in the name of the machine.
Switch to software B and recognize the same device again, and you can continue to push this flavor. It recognizes the machine, and it doesn’t need to know your name or who you are.
The question then arises, how do advertisers record this information, and how does this information slip out?
Recently, Shichao discovered an app developed by a security team: Loupe.
It has only one function, which is to tell users: How much data can the mobile app obtain about you? What will be exposed for every additional permission you "allow"?
Anyway, after using this app, Shichao really didn’t dare to give permissions randomly. It really taught me a lesson.
For example, when I first joined Loupe, it didn’t give me any permissions, and it gave me a power-up.
it knowsI set the phone's region to Singapore, and the keyboard uses a mixture of Chinese and English. The machine was activated in September 2023. Since that day, I have copied it 29,034 times. The last time I turned it on was 8 days, 3 hours and 44 minutes ago.
It even drew a portrait for me. Knowing that I had installed Steam and Discord, I judged that I was probably a gamer. I also saw that I had installed GitHub and Slack, so I guessed that I work in the technology industry.
The above is only displayed on the App side. If you view more detailed reports, you will find that it knows more.
For example, I know that my iPhone 15 Pro will have 105G of storage space left. It is currently in dark mode, the screen brightness is more than half, the battery is 60%, and the charger is not plugged in. It has dual SIM cards and dual standby, and both SIM cards are in 5G. I even know how the phone is tilted and which direction it is facing at this moment.
You may still think that what if these bits and pieces are known, can they locate us?
Not really.
But combined, they become the unique feature of this iPhone, which is the device fingerprint.This is enough for advertisers to distinguish your iPhone from other phones.
Besides, this is the information Loupe sees based on the public API:
If I give Loupe access to photo albums, location, etc. like other apps, what information will it know?
Shichao tried to give permission to the photo album.
Soon Loupe told me that of the 1,119 videos and 9,371 pictures in my library, 3,033 of them had geographical locations, and listed which places I visited the most.
Don’t look at the fact that the App is only accurate to “Yuhang District”, this is just for the convenience of display by loupe.
You need to know that the EXIF information in the photo contains longitude and latitude accurate to about ten meters. An app can roughly guess the neighborhood where I live and where I work by analyzing the number and time of occurrence of each location. And a small 18th-line county town that pops up occasionally during holidays has a high probability of being my hometown.
Shi Chao now understands a little bit:There are some apps that I clearly don’t have permission to locate, but they can always push the surrounding activities and gossip. Could it be that I gave them the permissions for the entire photo album just to save trouble?
Shichao recommends that you set all apps to use the system picture selector, which pops up for you to check a few photos for authorization. At this time, iOS will not send the photo location to the app by default.
By the way, remember to click on those pop-ups that ask you if you want to enable all permissions for “convenience”.maintain status quo.
Next, Shichao will open a local network permission for Loupe to see what it can get.
To be honest, who would think twice about this authority? Isn't it just connecting a printer to a screen?
But after I clicked Allow, all my colleagues’ computers in the LAN, HP laser printers, and two GreenLink NAS were all displayed.
Of course, it is reasonable for this permission to be able to see all surrounding devices, otherwise the device would not be found.
It's just that I don't understand. Shouldn't this permission pop up when I need to cast the screen?
Why do so many apps reach out and ask you for something after you just open it?
Shichao will not go into detail about the following location, Bluetooth, and calendar permissions. You can take a look at the information on the screenshot.
In short, every time you click "Allow", the App will learn more about you, and your device fingerprint will be clearer and more diverse.
So how does software B know my fingerprints and preferences calculated in software A?
The answer is advertisers.
Many apps do not build their own advertising systems, but instead connect to a ready-made advertising SDK. The opening-screen advertisements and advertisements in the information flow that you see in the app are all obtained by this code from the advertising platform and then displayed to you.
at the same time,SDKThe characteristics of your mobile phone will be transmitted back to the advertising platform.
In this way, the advertising platform will advertise your taste in software A, and software B, C, and D will all know about it.
Ordinarily, if the SDK wants to recognize your phone, it shouldn't be so troublesome.
Apple originally issued a serious identification code called IDFV, which means "several apps owned by the same company share the same number." So if you install several apps from the same company, they will recognize you as the same person without any effort at all.
But once across companies, IDFV is no longer universal, and IDFA comes into play.IDFA has one number for each mobile phone and is common to all apps. It is specially designed to help the advertising circle identify people across apps.
But the problem came again.
In 2021, Apple launched App Tracking Transparency (ATT), putting the IDFA switch back into the hands of users. If you want to use the app, a pop-up window will pop up to ask you. If you click "Request App Not to Track", the account will be cleared on the spot.
So in the end, advertisers can only take matters into their own hands and use this device fingerprinting strategy.
So is this tactic actually being used secretly by an app?
There really is.
Loupe's developer team is called Mysk. They have previously captured packets from Facebook, Instagram, Threads, Chrome, and Spotify. It turned out that although these apps promised "I will read this information, but it will never be shared outside" in Apple's privacy list, they actually secretly sent out the boot time of the user's phone.
No brother, why do you want to turn on the computer? Could it be that the taste is more unique than Walmart plastic bags and armed helicopters...
In fact, there is only one truth, which is to piece together the device fingerprint.
Similar things have happened in the Android camp.
In 2025, the Google research team published a paper in which they searched 180,000 Android Apps and 220,000 SDKs. They found that 39.4% of the popular apps in the App Store were equipped with SDKs that collect device fingerprints. If the categories are classified into dating and comic apps, the numbers soar to 82% and 88%.
OK, that’s the introduction to this app.
Currently, Loupe is completely free and open source. I think iPhone users can try it next (Android users may wait).
Of course, after trying it, everyone doesn’t need to be all at war.
After all, advertisers want to guess what you like to watch and what you want to buy. In addition to device fingerprints, there are also similar groups, account opening, and collaborative filtering. There are many ways.
I think the biggest role of Loupe is that it allows you to know which data you have is exposed and under what circumstances. Improve your security awareness and be more careful.