This study systematically investigates device fingerprinting behaviors by third-party SDKs in mobile application ecosystems and their associated privacy risks. We develop a large-scale static analysis framework to examine over 228,000 Maven-hosted SDKs and 178,000 Android apps, identifying more than 500 distinct fingerprinting signals and their corresponding API invocations. Contrary to prevailing assumptions, advertising SDKs account for only 30.56% of observed fingerprinting activities, whereas 23.92% originate from functionally ambiguous SDKs—challenging the dominant regulatory paradigm focused solely on ad SDKs. We further conduct the first market-category-based characterization of SDK fingerprinting distribution and empirically demonstrate the ineffectiveness of current Android permission mechanisms in mitigating such tracking: only 2% of fingerprinting-related APIs are subject to permission enforcement. Our findings provide empirical foundations and methodological support for developing cross-SDK, cross-scenario regulatory frameworks targeting device fingerprinting.

This paper presents a large-scale analysis of fingerprinting-like behavior in the mobile application ecosystem. We take a market-based approach, focusing on third-party tracking as enabled by applications' common use of third-party SDKs. Our dataset consists of over 228,000 SDKs from popular Maven repositories, 178,000 Android applications collected from the Google Play store, and our static analysis pipeline detects exfiltration of over 500 individual signals. To the best of our knowledge, this represents the largest-scale analysis of SDK behavior undertaken to date. We find that Ads SDKs (the ostensible focus of industry efforts such as Apple's App Tracking Transparency and Google's Privacy Sandbox) appear to be the source of only 30.56% of the fingerprinting behaviors. A surprising 23.92% originate from SDKs whose purpose was unknown or unclear. Furthermore, Security and Authentication SDKs are linked to only 11.7% of likely fingerprinting instances. These results suggest that addressing fingerprinting solely in specific market-segment contexts like advertising may offer incomplete benefit. Enforcing anti-fingerprinting policies is also complex, as we observe a sparse distribution of signals and APIs used by likely fingerprinting SDKs. For instance, only 2% of exfiltrated APIs are used by more than 75% of SDKs, making it difficult to rely on user permissions to control fingerprinting behavior.