What is the risk of leaking IMEI / IMSI numbers over a network

  • Should I worry if a developer programmed an app to send IMEI / IMSI number of the phone where the app is installed back to him? What can an attacker do with such information?

  • The IMEI is a unique worldwide identifier for the phone (the hardware element), while the IMSI is a unique worldwide identifier for the SIM card (so it more-or-less maps to the human user who owns it). See this page. Both are sent "as is" over the air, and thus can be obtained by any attacker with an antenna and located in the vicinity. Knowledge of the IMEI and/or IMSI of some user does not give extra ways to break into the communications of that user; they are not secret values.


    There may be a slight privacy concern about IMEI and IMSI, in that they allow to "track" user habits:

    • An application could generate a random unique identifier each time it is installed on a phone. However, by using the IMEI, the application can tell whether it is re-installed on a given phone; it can also be used to cross-reference the table of known installed application instances with cell phone locations obtained through passive radio listening from some base station.

    • The IMSI "follows" the user when he switches phones (he transfers his SIM card from his old phone to his new phone).

    I can imagine an app which is linked to some "account" on a server; using the IMSI allows the server to more easily automate "relinking" the app when the user switches phones. By the same reason, users can feel that their privacy is breached in that they would like to be able to re-install their app and/or switch phones to "start anew" with a distinct account which is not linkable to their own account.

    To a large extent, users can consider their IMSI to be the phone equivalent of their email address. An app which automatically send the IMSI to a server is as much a security or privacy issue as a software application which automatically sends the user email to a remote server; many people would feel uncomfortable at the latter, and it begs the question of why it is done in the first place.

    Of course, if an app does something stupid like using the IMEI or IMSI as an authentication token, e.g. a kind of password to access data on a remote server, then learning the IMEI or IMSI opens access to that data. But that's what you get when you use non-secret data as if it was secret.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM

Tags used