Your Samsung Weather App Is a Fingerprint: How saved locations create a persistent cross-session tracking identifier

The analysis examined weather API requests from Samsung devices, revealing a persistent device fingerprinting technique. The Samsung Weather app uses a "placeid," a 64-character hex string, to identify saved locations in API requests. This placeid, when combined with other location data, creates a unique fingerprint for each device. This fingerprint persists even with IP changes, VPNs, and network roaming. The study found a high degree of fingerprint uniqueness, with almost all devices having a distinct fingerprint. The app utilizes hardcoded API keys, allowing anyone to resolve a placeid to a physical location. Furthermore, the app redundantly transmits GPS coordinates alongside placeids, providing excessive location data. The Weather Company (IBM) receives these requests, creating a historical record linked to each fingerprint. This practice echoes previous issues, including lawsuits against The Weather Channel for similar data collection practices. The placeid-based fingerprinting bypasses typical location permission controls. Given Samsung's widespread device distribution and the app's default activity, this fingerprinting raises privacy concerns on a large scale. The pre-installed app's behavior quietly tracks user locations.