Google Play, GSF ID, useragent, app compatibility?

I get asked fairly often (in various ways) how Google Play determines if an app is compatible with a device.

When you start up your Android device for the first time, it will ask you for a Google Account (spoiler: you don’t want it to have one). This account will then be logged in and Google will issue an auth token for it. The auth token is used afterwards for all subsequent requests to the Google network that require an authenticated user account. The benefit here is that your device doesn’t need to maintain a persistent TCP/IP connection (signal loss makes this impossible anyways) and apps can be given access to your Google Account without exposing your password to them.

After an account is created/added to an Android device, it will perform a checkin request. This is a three step process. In the first step, the device will ask the Google Network to issue a new GSF ID (this may also be referred to as Android ID, as it supersedes Settings.Secure#ANDROID_ID). In the second step, the the GSF ID get’s bound to the logged in Google Account and in the final step, a hardware profile is associated with it (in a nutshell this boils down to uploading the build.prop file).

Note: a new GSF ID is issued when either the device is factory reset or the cache of the Google Play App is cleared (the solution to the infamous “DF-DFERH-1” error), so Google Accounts that are used on Android devices accumulate GSF IDs over time.

The problem with the GSF ID is that its is (like pretty much all of Android) near sighted in design. Whoever came up with the idea thought that Android devices would never change during their lifetime. While this might be true for the hardware (though there have been efforts to make Android modular), it isn’t for the software side. The OS can (and sometimes, actually is) be upgraded. This means, the static data, linked to the GSF ID isn’t always sufficient to determine app compatibility and another piece of information is required: the user agent string of the Play app (did I already mention that everything about Android looks like it is designed ad-hoc?).

Finally, the devices IP address also plays a role in determining app compatibility, as developers can region lock apps or restrict them to certain carriers.

So, to summarize this, whenever you perform a search on Google Play (using either the Play client app or Raccoon), the following three (four) pieces of information are sent along with every request:

  • The auth cookie
  • The GSF ID
  • The user agent string.
  • (Your IP address)

Without the auth cookie and the device ID you don’t get any service at all (Play cannot be browsed anonymously, everything you do there is tracked and used for marketing purposes). The user agent is (nowadays) the main app compatibility filter (I’m not even sure, if the hardware profile, bound to the GSF ID is still required).

Posted in Android