HN
Today

I broke AppLovin's mediation cipher protocol

A security researcher successfully cracked AppLovin's ad mediation encryption, unveiling how the ad-tech giant collects a vast array of device data. This extensive fingerprinting allows for deterministic re-identification of individual iPhones across different apps and publishers, even when users explicitly deny Apple's App Tracking Transparency (ATT) permissions. The findings highlight a significant gap in mobile privacy, demonstrating that sophisticated tracking persists despite user opt-outs and platform-level privacy controls.

13
Score
1
Comments
#15
Highest Rank
2h
on Front Page
First Seen
May 16, 2:00 AM
Last Seen
May 16, 3:00 AM
Rank Over Time
1516

The Lowdown

A researcher meticulously reverse-engineered and broke AppLovin's proprietary mediation cipher protocol, uncovering a detailed mechanism for device fingerprinting that effectively bypasses Apple's App Tracking Transparency (ATT) framework.

  • Cipher Vulnerability: The AppLovin mediation requests, sent over HTTPS, were found to be wrapped in a second, custom encryption layer. This cipher, utilizing a shared SDK key and a universal salt, employs a cryptographically weak pseudorandom number generator (SplitMix64) for its keystream, lacks authentication (no MAC), and leaks the device's exact wall-clock time through its counter.
  • Extensive Data Collection: Decryption of thousands of real-world requests revealed a device_info payload containing approximately 50 fields, including hardware model, OS version, RAM, screen dimensions, installed keyboards, timezone, system audio volume, mute switch state, and boot time. Crucially, this data flows even when ATT is denied and the IDFA is zeroed.
  • Cross-App Tracking: The research demonstrates that a SHA-256 hash derived from just nine of these device fields (e.g., hardware model, OS, screen dimensions) provides a unique and persistent identifier for an iPhone, enabling its re-identification across different applications and publishers where ATT was denied. This fingerprint remains constant regardless of app, IDFV, or SDK version.
  • Ad Network Fan-Out: Beyond AppLovin itself, the encrypted envelope also contains signal_data[], an array of tokens from up to 18 other demand-partner ad networks. These 'mini-envelopes' further distribute device data, with some downstream bidders (like InMobi or BidMachine) collecting even more granular information (e.g., available disk space, persistent UUIDs) than AppLovin's primary payload.
  • ATT's Limited Scope: While AppLovin's own server-issued api_did identifier correctly respects ATT by issuing a 'BADDID' sentinel for denied users, the core issue lies in the dozens of other device properties accessible to third-party code. These properties are not gated by iOS or ATT, allowing for continuous, covert tracking that is refreshed with every banner load, approximately every 30 seconds.

This analysis starkly illustrates that while Apple's ATT aims to curb cross-app tracking, the ad-tech industry continues to leverage device fingerprinting through numerous other data points, effectively circumventing privacy protections and enabling persistent user identification without explicit consent.