In /stream API request each post contains a property named "ClientId". I suppose it's generated by client applications when user is posting a secret. It seems that iOS and Android applications generate this string quite differently: xLfLHR (six random characters) — iOS 27c9d93d-7044-40c0-87c8-2fa7d5b252b3 (GUID) — Android
Knowing that information (and models of friends' phones) can possibly help to de-anonymize authors of secrets.
Simple fix for this problem would be to use the same strategy for generating ClientIds on both platforms.