User tracking is critical in the mobile ecosystem and relies on device identifiers to build user profiles. Early versions of Android allowed third-party apps to easily access non-resettable identifiers such as serial numbers and IMEI. As privacy concerns grew, Google has tightened identifier access in native Android. In response, stakeholders in custom Android systems introduced covert channels (e.g., system properties and settings) to maintain consistent and stable identifier access across systems and devices, which undoubtedly increases privacy risks. This paper examines the introduction of such channels through system customization and their vulnerability due to poor access control. We present IDRADAR, a scalable and accurate approach for identifying vulnerable properties and settings in custom Android systems. Applying our approach to 1,814 custom ROMs, we identified 8,192 system properties and 3,620 settings that store non-resettable device identifiers. Among these, 3,477 properties and 1,336 settings lack adequate access control and could be exploited by third-party apps to track users without permissions. Further validation on real devices demonstrates the effectiveness of our approach. Compared to state-of-the-art, IDRADAR offers improved scalability and analytical capabilities. Additionally, we investigate the root causes of the access control deficiencies and observe that such vulnerabilities frequently recur across devices from the same OEMs. We have reported our findings to the respective vendors and received positive confirmations. Our work underscores the need for greater scrutiny of covert access to device identifiers and better solutions to safeguard user privacy during system customizations.