Mobile operators appear to have increasingly turned to new techniques for tracking users — HTTP header enrichment

(written by lawrence krubner, however indented passages are often quotes). You can contact lawrence at:, or follow me on Twitter.


Our analysis reveals a range of HTTP headers injected into mobile user traffic by 13% of the 299 mobile operators in our dataset (including both MNOs and MVNOs). We classify the headers in our dataset into three categories, based on their likely purpose:

• Privacy-compromising headers (5 operators): HTTP headers leaking sensitive information that can uniquely identify the device (IMEI), the subscriber (MSISDN or phone number), or the subscriber’s location.

• Tracking headers (6 operators): operator-generated UIDs (subscriber-unique identifiers) that enable user tracking for advertising purposes [12]. They are also known as super-cookies. Tracking headers do not directly reveal sensitive information about users but can lead to loss of privacy for mobile subscribers.

• Operational headers (24 operators): information related to network operations and network infrastructure, such as internal IP addresses of subscribers (i.e., the local IP address assigned by the provider), and subscriber gateway locations and versions. Some of these headers can assist with tracking users (e.g., internal IP addresses as reported in RFC7239 [15]).

As mobile operators fight for a larger share of the mobile advertising market—a sphere largely dominated by online services and smartphone vendors—they appear to have increasingly turned to new techniques for tracking users. A direct consequence of these steps for increasing revenues is HTTP “header enrichment”.

In this paper, we used data collected by the Netalyzr-forAndroid app to identify the presence of HTTP header injection performed by mobile operators all over the world. We classify the techniques in three categories, two of which directly affect user anonymity and privacy, and the third reflecting headers injected ostensibly for operational reasons, but potentially affecting user privacy and security.

While HTTP header enrichment can prove useful for improving the efficacy of mobile advertisement and network management, if mobile operators do not remove the injected information before user traffic leaves its network premises, it can leak information for millions of mobile subscribers all over the world. Unfortunately, HTTP header enrichment typically occurs in a manner transparent to mobile users.

Post external references

  1. 1