investigate client tracking based on TLS Sessions
TLS sessions have a unique ID that is in clear text. Android potentially is using them, as well as other HTTP stacks. This session ID/cookie is set by the server, so the server can use it to track users. It is also visible in plain text in the network traffic.
We need to disable both TLS Session Identifiers and Session Tickets.