Google is a very security-focused company from the web to even third-party platforms. On Android, this results in monthly security patches, user controlled permissions, various Play Store protections, and more. However, flaws still slip through as evident by a camera-related one on the Pixel and Pixel XL that could ‘facilitate tracking.’
According to a recent commit to the Pixel AOSP, the serial number for the HTC-made front facing camera sensor changes between different devices. This form of identification could allow third-party apps to track individual devices, thus presenting an obvious security and privacy flaw for users.
Camera sensor’s serial number, stored in system property htc.camera.sensor.front_SN, appears to change between different devices and could thus facilitate tracking.
Fortunately, this issue has already been patched up, with Google issuing a fix internally just yesterday: “Restrict access to camera sensor’s serial number”
This commit restricts access to this system property to cameraserver and dumpstate and shell SELinux domains.
Test: Camera works, serial number property still available via ADB, but not readable by apps.
The patch restricts access to the serial number for various parts of the system and prevents other apps from accessing it. A test demonstrates that the patch works, with the camera continuing to function as normal.
With the January security patch scheduled for this upcoming Tuesday, it’s more than likely that this fix will be included then. We’ve reached out to Google for confirmation and will update when we receive word.