Starting March 27, 2025, we recommend using android-latest-release instead of aosp-main to build and contribute to AOSP. For more information, see Changes to AOSP.
Immutable device IDs
Stay organized with collections
Save and categorize content based on your preferences.
In Android 6 and higher, Wi-Fi service providers and packet analyzers have
been restricted from retrieving a device's factory MAC address through the
Wi-Fi stack from network requests. Starting in Android 10, additional restrictions are in place that limit access to device
identifiers (IDs) to apps with the
privilegedpermission
level. This protects device IDs such as
- telephony IMEI, MEID, ESN, and IMSI numbers.
- build, SIM, or USB serial numbers.
Who can access device IDs
Device IDs are restricted on all Android 10
devices, even if apps target Android 9 or lower. Device IDs can be accessed by:
Privileged packages access
A package must be privileged to access device IDs. It must have
READ_PRIVILEGED_PHONE_STATE permission in the
Manifest.permission class, and be allowlisted in the
privapp-permission.xml file. For information on the allowlist
process, see Privileged
Permission Allowlisting.
For information on getting a unique ID for a nonprivileged package,
refer to
Common use cases and the appropriate identifier to use.
Restricted device IDs and randomized MAC addresses
To further restrict device IDs, all devices on Android 10 transmit randomized MAC addresses by default for both
probe and associated requests, and must have a different randomized MAC address
for each SSID. Don't use the device factory MAC address in client mode, soft
access point (AP), or Wi-Fi Direct use cases. It must remain hidden from
publicly accessible APIs that aren't privileged apps. Privileged apps that
require the factory MAC address to be returned are required to have
LOCAL_MAC_ADDRESS permission.
Users have the option to keep the default randomized MAC address that's assigned to each SSID.
The option is viewable under Privacy in
Settings > Network details. To learn about
obtaining a randomized MAC address see
Randomized MAC addresses.
Figure 1.MAC address shows as randomized under Privacy in Network details.
Apps that invoke device ID APIs
Apps that invoke device ID APIs must meet the Android 10 requirements. Otherwise, when they try to access
device IDs the following is returned:
- Apps targeting Android 10
- Apps targeting Android 9 or earlier
- If they have the
READ_PHONE_STATE permission, either a null response or
placeholder data is returned.
- If they don't, the device ID APIs throw
SecurityException
that contains the name of the method called, and an indication that the calling
app doesn't meet the requirements to access the requested ID.
For more on immutable device IDs see Nonresettable
device identifiers and best practices
for unique identifiers.
Testing
Apps must be prevented from accessing the device serial number and,
where applicable, IMEI or MEID, SIM serial number, and subscriber ID. Apps with
permission to access these IDs must also meet one of the criteria listed under
Who can access device IDs.
Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
Last updated 2025-08-29 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Immutable device IDs\n\nIn Android 6 and higher, Wi-Fi service providers and packet analyzers have\nbeen restricted from retrieving a device's factory MAC address through the\nWi-Fi stack from network requests. Starting in Android 10, additional restrictions are in place that limit access to device\nidentifiers (IDs) to apps with the [privileged](/docs/core/permissions/perms-allowlist)[permission\nlevel](https://developer.android.com/reference/android/R.attr.html#protectionLevel). This protects device IDs such as\n\n- telephony IMEI, MEID, ESN, and IMSI numbers.\n- build, SIM, or USB serial numbers.\n\n### Who can access device IDs\n\nDevice IDs are restricted on all Android 10\ndevices, even if apps target Android 9 or lower. Device IDs can be accessed by:\n\n- The default SMS app.\n- Apps with both [READ_PRIVILEGED_PHONE_STATE](/docs/core/permissions/perms-allowlist#customizing-allowlists) permission in the `\n `[Manifest.permission](https://developer.android.com/reference/android/Manifest.permission) class, and allowlisting in the `privapp-permission.xml` file. These must also be loaded in the `priv-app` directory.\n- Apps with carrier privileges as defined in [UICC Carrier\n Privileges](/docs/core/connect/uicc).\n- A device owner or profile owner with [READ_PHONE_STATE](https://developer.android.com/reference/android/Manifest.permission.html#READ_PHONE_STATE) permission granted in the [Manifest.permission](https://developer.android.com/reference/android/Manifest.permission) class. (Allowlisting isn't required.)\n\n#### Privileged packages access\n\nA package must be privileged to access device IDs. It must have\n[READ_PRIVILEGED_PHONE_STATE](/docs/core/permissions/perms-allowlist#customizing-allowlists) permission in the\n`Manifest.permission` class, and be allowlisted in the\n`privapp-permission.xml` file. For information on the allowlist\nprocess, see [Privileged\nPermission Allowlisting](/docs/core/permissions/perms-allowlist).\n\nFor information on getting a unique ID for a *nonprivileged* package,\nrefer to [Common use cases and the appropriate identifier to use](https://developer.android.com/training/articles/user-data-ids#common-use-cases).\n\n#### Restricted device IDs and randomized MAC addresses\n\nTo further restrict device IDs, all devices on Android 10 transmit randomized MAC addresses by default for both\nprobe and associated requests, and must have a different randomized MAC address\nfor each SSID. Don't use the device factory MAC address in client mode, soft\naccess point (AP), or Wi-Fi Direct use cases. It must remain hidden from\npublicly accessible APIs that aren't privileged apps. Privileged apps that\nrequire the factory MAC address to be returned are required to have\n`LOCAL_MAC_ADDRESS` permission.\n\nUsers have the option to keep the *default randomized* MAC address that's assigned to each SSID.\nThe option is viewable under **Privacy** in\n**Settings** \\\u003e **Network details** . To learn about\nobtaining a randomized MAC address see [Randomized MAC addresses](https://developer.android.com/about/versions/10/privacy/changes#data-ids).\n\n**Figure 1.**MAC address shows as randomized under Privacy in Network details.\n\n#### Apps that invoke device ID APIs\n\nApps that invoke device ID APIs must meet the Android 10 requirements. Otherwise, when they try to access\ndevice IDs the following is returned:\n\n- Apps targeting Android 10\n - [SecurityException](https://developer.android.com/reference/java/lang/SecurityException) is thrown from the device ID APIs.\n- Apps targeting Android 9 or earlier\n - If they have the [READ_PHONE_STATE](https://developer.android.com/reference/android/Manifest.permission.html#READ_PHONE_STATE) permission, either a `null` response or placeholder data is returned.\n - If they don't, the device ID APIs throw [SecurityException](https://developer.android.com/reference/java/lang/SecurityException) that contains the name of the method called, and an indication that the calling app doesn't meet the requirements to access the requested ID.\n\nFor more on immutable device IDs see [Nonresettable\ndevice identifiers](https://developer.android.com/about/versions/10/privacy/changes#data-ids) and [best practices\nfor unique identifiers](https://developer.android.com/training/articles/user-data-ids).\n\n### Testing\n\nApps *must* be prevented from accessing the device serial number and,\nwhere applicable, IMEI or MEID, SIM serial number, and subscriber ID. Apps with\npermission to access these IDs must also meet one of the criteria listed under\n[Who can access device IDs](#who-access)."]]
