timsh's comments

timsh · 2025-02-03T08:24:04 1738571044

oops, here comes the price of a nice-looking Reddit embed. next time I’ll stick to a screenshot :) thanks!

timsh · 2025-02-03T01:01:15 1738544475

agreed, however there are duplicates in that list + same app for ios / android. if I’m not mistaking I did a simple unique count on it (or catch the 2000 number from 404media post)

timsh · 2025-02-03T00:56:15 1738544175

The “right” answer is not the one I end up with but rather the version sold by the vendor. this is what Apple and Google would say.

j16sdiz · 2025-02-03T07:24:04 1738567444

I think they are pretty clear if you read the documentation. Accessing to the exact value of these always need some privacy-related privilege on ios and android.

Without those privilege, all you can get is an approximate.

timsh · 2025-02-03T00:53:26 1738544006

this is so precise. I guess we’ll need a global version of https://datacolada.org/ quite soon to not get hit by a bus in every scientific field

timsh · 2025-02-02T23:18:47 1738538327

MAID = IDFA on ios + GAID on Android [https://www.start.io/glossary/mobile-ad-id-maid/]

fmkamchatka · 2025-02-03T06:23:31 1738563811

I think he meant MAID <> PII

timsh · 2025-02-02T19:25:36 1738524336

I decrypted them all by installing Charles SSL cert on the iphone. This is why the requests seem not SSL proxied.

wkat4242 · 2025-02-03T02:55:17 1738551317

This technique doesn't work anymore on android because you can no longer add certificates to the system store and apps are free to choose to accept the user store CAs or not. That was changed in Android 7. For "security" they say. Security of Googles business model I'm sure.

sunnybeetroot · 2025-02-02T19:29:04 1738524544

My apologies, thank you for clarifying and thank you for the brilliant article. Have updated my comment.

timsh · 2025-02-02T19:22:34 1738524154

wow @apokryptein thanks for posting my article here... I'm shocked it's #1 rn. if anyone has any questions regarding the post - I'm here to answer & talk!

pas · 2025-02-02T23:47:14 1738540034

how the MAID/IDfV gets into the PII-ID databases?

It seems that part is completely missing. (Or I missed it.)

So for example can/do airlines sell it? Or telecom/utility companies, when you use their app?

timsh · 2025-02-03T00:59:33 1738544373

I don’t know the answer to this, which is why I didn’t mention it in the post. However, I could speculate that these data-broker companies scrape leaked [hacked and stolen] data from various panels and then match records on their end. kinda OSINT for bad reasons.

forgingahead · 2025-02-03T02:48:06 1738550886

Great article, thanks for taking the time to research and write it all up! Definitely learned some new things from it.