Re: Android's missing firewall
I also ask you to take a good look at what Google is doing with Google Play and permissions.
There's an upcoming one, I'll use as example: Apps that need to do something regularly call an API to set an alarm to wake them up. Google split that alarm into two, "exact" alarms for apps that need a specific wakeup and normal alarms that may be a little late or early to improve battery performance. So far so good. The new change is to break the "exact" timers if the app doesn't have an extra permission and force it to be inaccurate.
So the app needs an exact time, it requested an exact time, it will be refused an exact time. Of course the user won't know the details of the change, it is fine detail, only that the app doesn't run properly. Notifications are late etc.
That permission will likely be turned on by default for Google Play sourced apps that request it as other permissions have.
I suspect that Google Play Services will turn it off for non Google Play apps, as it appears to be doing for other critical permissions (USB access and Accessibility Permssions). In effect, if the app doesn't come from Google Play, rather some other store or direct from the company, your app software is under attack from Google Play. Here I suspect you'll miss critical timing things that the app needed.
This pattern, coupled to the other thing they're doing... forcing all transactions, even third party ones through Google Play Store. It gives them a cut of the fee, sure, but it also gives them the identity details of every Android user. Even ones that don't want to be customers of Google. Things like gift cards are being phased out, and you are being force to reluctantly get a Google Play account, simply to get software not to break, which in turn is forcing financial ID details linkable to the magic cookie (the tracking ID Android phones send as a unique device ID).
Four other things: changing the magic cookie 'ad ID' on Android does not help. Google had your session data, you change the cookie, it now has the new cookie for that session data. It can link the two, and given Google's behavior it certainly will be doing that.
Opting out of customized advertising is not the same as "DO NOT SEND THE UNIQUE ID". It's worded to make you think it is, but I think it still sends the ID, I believe Google still *tracks* the ID, it just doesn't serve the adverts with the same level of personalization.
The ID is obsfucation. At any time, Google can link that ID to an account, but chooses to present you a fake view of the data it has slurped as if it cannot.
Course position, is a lie, Google has your location to metres, the course position is sent back to you and your apps. It is not the phone that is sending a course location, it is sending the exact location to Google, Google is getting the exact position. What would you bet that the exact position is also logged against Google's magic cookie? 0.9999.... probability.