I have an Android application with millions of users, but some users are malicious users (robot, fake, etc.).
I want to find a way to uniquely identify each mobile phone device, to blacklist malicious mobile phones (hardware)
Strict Google privilege controls due to privacy issues, especially the new Android 10.
I summarize the following forms of unique identification:
Permanent ID (such as IMEI, serial number) you need READ_PHONE_STATE access permission. But since the design of Android 10, access is Forever DENIED even have READ_PRIVILEGED_PHONE_STATE permission, for privacy reasons.
Semi-permanent Identifications (such as device identification) will change if the phone resets or escapes. Malicious users can restart / escape the phone to avoid being detected. Google also provides Advertising ID, GUIDetc.
Variable ID (such as MAC Address) can be easily changed through malicous software by a malicious user to avoid detection.
Summary and question:
I read many websites of strategies on how to uniquely identify mobile phone hardware, based on the above situations. Most strategies say:
- It is necessary to differentiate "Android 10" and "Android 9 and lower versions".
- You need to collect as much information as possible (permanent and semi-permanent and valuable identifications) and calculate the possibilities (%) of identical mobile phones. Assume that malicious users can change some IDs, but they do NOT always change all IDs.
I am still looking for better solutions. Please advise your ideas.