Researchers from the University of Illinois College of Engineering have demonstrated that these fingerprints exist within smartphone sensors, mainly because of imperfections during the hardware manufacturing process.
The researchers focused specifically on the accelerometer, a sensor that tracks three-dimensional movements of the phone - essential for countless applications, including pedometers, sleep monitoring, mobile gaming – but their findings suggest that other sensors could leave equally unique fingerprints.
"When you manufacture the hardware, the factory cannot produce the identical thing in millions. So these imperfections create fingerprints," said associate professor Romit Roy Choudhury.
These fingerprints are only visible when accelerometer data signals are analysed in detail. Most applications do not require this level of analysis, yet the data shared with all applications - your favourite game, your pedometer - bear the mark. Should someone want to perform this analysis, they could do so, researchers said.
The study tested more than 100 devices over the course of nine months: 80 standalone accelerometer chips used in popular smartphones, 25 Android phones, and 2 tablets.
The accelerometers in all permutations were selected from different manufacturers, to ensure that the fingerprints weren't simply defects resulting from a particular production line.
With 96 percent accuracy, the researchers, including graduate students Sanorita Dey and Nirupam Roy, could discriminate one sensor from another.
"We do not need to know any other information about the phone - no phone number or SIM card number. Just by looking at the data, we can tell you which device it's coming from. It's almost like another identifier," said Dey.
In the real world, this suggests that even when a smartphone application does not have access to location information (by asking "this application would like to use your current location"), there are other means of identifying the user's activities.
It could be obtained with an innocuous-seeming game or chatting service, simply by recording and sending accelerometer data. To collect the data, the researchers - as with any would-be attacker - needed to sample the accelerometer data.
Each accelerometer was vibrated using a single vibrator motor - like those that buzz when a text message is received - for two-second intervals. During those periods, the accelerometer detected the movement and the readings were transmitted to a supervised-learning tool, which decoded the fingerprint.
"Even if you erase the app in the phone, or even erase and reinstall all software, the fingerprint still stays inherent. That's a serious threat," Roy said.