How does the Facebook SDK in a 3rd party app correlate that you're the same user if you don't log into the app with FB? Is there some universal device identifier all your apps have access to?
There was a static universal device identifier until iOS 6. Even today, while Apple has implemented many sensible restrictions on tracking, there's still a ton of information that can be used for device fingerprinting freely available to all apps. This blog post [0] pegs the amount of useful information at around 56 bits.
The IP addresses (both WiFi and mobile), device make/model, carrier and locale can be combined into a fairly unique fingerprint, narrowing it down even more over time since the SDK phones home every time the app is opened.
There's an "advertising id" that's assigned to your phone, accessible by apps you install. This ID can be reset by the user, but only if they are aware of it.
