EchoScan
UNQ
STB
#···
Cn
En
Jp

Fingerprinting System Application Series · Special Edition | Device Fingerprinting and Cross-App Tracking: From Fried Chicken Ads to Algorithm Recommendations

In the browser fingerprinting application series, we’ve been discussing an identification technology exclusive to web environments. But the story of device fingerprinting far transcends browser boundaries. When we talk about browser fingerprinting, we’re actually discussing a subset within a much larger device fingerprinting ecosystem. And within this ecosystem, a much larger-scale tracking and identification is happening, crossing applications, systems, and even physical spaces.

This time, let’s start with the most everyday scenario: why did Instagram recommend me the fried chicken I ordered at noon?

A “Perfect Coincidence”

The Mysterious Experience from a Week Ago

A friend recommended me a food delivery app. The software’s name starts with R, and its download count across various app stores has exceeded tens of millions. I downloaded it, spent five minutes registering, and then ordered fried chicken. The order was confirmed, and I closed the app.

That afternoon, I opened Instagram. As usual, I started scrolling through posts. Suddenly, an ad appeared.

This wasn’t an ordinary ad. It was promoting the exact food delivery app I’d ordered from at noon, with the same brand of fried chicken meal—and I could confirm it was exactly the item from my order.

My first reaction was: coincidence.

But a week later, when someone at my place downloaded that food delivery app through my referral link and ordered a donut the next day, Instagram recommended me an ad for the same donut brand.

That wasn’t a coincidence.

The key questions started appearing: I never searched for anything other than fried chicken and donuts on the delivery app; I never mentioned these two words on any social media; I never even liked or posted anything food-related on Instagram.

But how did Meta know?

The Dual Mechanism of Data Tracking

Core Concepts: Device Fingerprinting and Data Sharing

To understand how all this happens, we need to understand two concepts that seem unrelated but actually work closely together.

The First Concept: Advertising Digital Identifiers

Almost every smartphone comes with a unique advertising identifier from the factory. On iOS, this is called IDFA (Identifier For Advertisers); on Android, it’s called GAID (Google Advertising ID).

Platform Identifier Purpose Feature
iOS IDFA Track in-app behavior Users can disable in settings
Android GAID Track in-app behavior Users can reset in settings
Cross-Platform Device Fingerprint Cross-app tracking Nearly impossible for users to discover

The purpose of these identifiers is clear: to let advertisers track your behavior across different apps without knowing your real identity.

But here’s the key: Meta doesn’t seem to primarily rely on these system-level identifiers. If it used IDFA or GAID, both iOS and Android would show users a popup asking “This app wants to track you.”

However, I’ve never seen such a popup from that food delivery app starting with R.

After some investigation, the real tracking mechanism happens through an invisible data pipeline.

When the food delivery app integrated Facebook SDK (Software Development Kit), it gained the ability to automatically transmit data to Meta’s servers. Every time you place an order in the app, the system triggers an event called fb_mobile_purchase.

What does this event contain?

The Content of fb_mobile_purchase Event

fb_mobile_purchase Event Content
├─ Event Type: purchase
├─ Item Purchased: Fried chicken, donuts
├─ Amount: ¥29.9
├─ Timestamp: 2024-10-30 12:30:00
├─ Device Identifier: [Some unique device identifier]
└─ Other contextual information: ...

This data is automatically uploaded to Meta. The food delivery company might call it “optimizing ad experience,” while Meta calls it “business data integration.”

The critical point is: this process happens in the background, completely without explicit user authorization.

The Invisible Tracking System

Device Fingerprints, Not User Identity

There’s an important conceptual shift here that needs to be understood.

Meta doesn’t actually need to know who you are. It may not even care about your real identity. What Meta really needs is to identify your device.

When the food delivery app uploads a purchase event to Meta, it includes a device identifier. This identifier might come from:

  • The device’s MAC address (the physical address of the network adapter)
  • A combination of IP address and network characteristics
  • A combination of device hardware parameters (screen resolution, model, OS version, etc.)
  • A hash of the installed apps list
  • Other operating system-level unique identifiers

Through this information, Meta creates a device-level profile. This profile might record:

  • This device purchased fried chicken on the food delivery app
  • This device visited a certain e-commerce site at some time
  • This device spent 30 minutes on TikTok
  • The user of this device likely lives within Beijing’s 5th Ring Road
  • This device recently followed lifestyle-related content

When the user of this device opens Instagram, Meta already has all this information. What the algorithm does is decide what ads to push to this device based on this profile.

Key Discovery: Meta isn’t tracking you as a person, but tracking your device. This distinction is crucial because it bypasses many privacy protection mechanisms.

Why System Permissions Become Useless

I once disabled “Allow apps to request tracking” in my iPhone settings. This is a privacy protection feature Apple introduced in iOS, originally intended to prevent apps from tracking your IDFA.

But precise ads still appeared.

What does this tell us?

It tells us that Meta doesn’t primarily rely on IDFA to track me. Even after I disabled this permission, Meta still obtained sufficient device information through other channels.

Shared Friends, Shared Profiles

Why My Roommate’s Donut Ad Appeared in My Feed

Now we can explain that strange phenomenon.

My roommate downloaded the food delivery app through my referral link and ordered a donut on his device. The app uploaded this purchase event to Meta, including the device fingerprint of my roommate’s device.

But this doesn’t fully explain why I saw the donut ad.

What’s the key information?

Network characteristics.

My roommate and I live under the same roof. We likely share the same WiFi network, at least during certain periods. This means:

  • Our public IP addresses might be the same or similar
  • Our network access time patterns likely overlap
  • We have internet traffic on the same local network

Meta’s device fingerprinting system has the ability to identify “multiple devices active on the same network.” It can establish associations like:

Device A (my phone) and Device B (my roommate’s phone) frequently access Meta’s services at the same time, from the same public IP.

This suggests they likely belong to the same household or office location.

Therefore, when recommending ads, we can use Device B’s interest data to influence Device A’s recommendations.

This is why I see ads for products I completely never interacted with—because my roommate interacted with them, and Meta determined we’re in the same physical location.

This isn’t just personalized recommendations; it’s group-based recommendations based on shared physical space.

The True Face of Data Flow

The Complete Journey of a Message

Let’s trace the complete journey of data from “I ordered fried chicken” to “I received an ad.”

Stage 1: Purchase Event Occurs

I place an order in the food delivery app → The app triggers fb_mobile_purchase event
│
├─ Event Content
│  ├─ Item: Fried chicken
│  ├─ Amount: ¥29.9
│  ├─ Timestamp: 2024-10-30 12:30:00
│  └─ Device Characteristics (device fingerprint)
│
└─ Send to: Meta's data servers

Stage 2: Data Aggregation

Meta's servers receive the event
│
├─ Key Steps
│  ├─ Identify device: This is my iPhone (device fingerprint match)
│  ├─ Link account: This device has logged into Instagram
│  ├─ Query profile: Historical behavior data for this device
│  └─ Update tags: Add "food enthusiast" label to this device
│
└─ Storage location: Meta's user profile database

Stage 3: Ad Recommendation

I open the Instagram app
│
├─ System Check
│  ├─ Verify logged-in user's device
│  ├─ Query this device's profile
│  └─ Call recommendation algorithm
│
├─ Recommendation Algorithm
│  ├─ Input: All behavior data from this device in the past 7 days
│  ├─ Includes: Purchased fried chicken, roommate purchased donuts, followed food bloggers, etc.
│  └─ Output: Recommend fried chicken and donut ads
│
└─ Display: Precise ads appear in my feed

Every step requires no explicit user authorization—because all authorizations are buried in the app’s privacy policies, and most users never read these policies.

Reflection and Transparency

An Uncomfortable Truth

Behind all this lies an uncomfortable truth: we’ve lost complete control over where our data goes.

Even if you disable system-level tracking permissions, even if you never use Meta’s apps, even if you delete all cookies—you’re still being tracked.

Because tracking no longer depends on a single permission that can be turned off. It depends on:

  • SDK integration by app developers
  • Infrastructure from network providers
  • Pre-installed software from hardware manufacturers
  • Black market dealings of data brokers

None of these are things users can easily control.

The Dual Meaning of Browser Fingerprinting

Browser fingerprinting technology itself is neutral. It can be used for:

  • Protecting users—identifying fraud, preventing account theft, detecting anomalous logins
  • Tracking users—building behavioral profiles without users’ awareness

Echoscan’s purpose in developing browser fingerprinting is the former—helping platforms identify fraud and prevent abuse. But the very existence of this technology proves that precise tracking is feasible.

Once this technology is applied for tracking purposes, users have almost no way to escape.

Conclusion: Between Seeing and Not Seeing

Throughout the entire browser fingerprinting application series, we’ve discussed many visible defenses—anti-fraud, security identification, opinion protection. But this special edition wants to reveal the other side of device identification technology: ubiquitous tracking.

From fried chicken ads to algorithm recommendations, from a single app to the entire ecosystem, a complete, multi-layered device identification system is operating. Browser fingerprinting is just one link in this system.

We cannot completely escape this system. But we can choose to see it.

The next time you see a mysteriously precise ad, you now know how it got there. Your device is talking, and Meta is listening. It’s not a coincidence—it’s a sophisticated, cross-application and cross-network-boundary, device-fingerprint-based tracking system at work.

The question is no longer “why is it so precise,” but “how should I treat my own data?”

The answer might not be simple. But at least now we know roughly what’s going on.

Return to Blog