TL;DR
A researcher has decrypted AppLovin’s ad mediation encryption, exposing how device data can deterministically identify iPhones across apps, even with ATT disabled. This raises privacy concerns about user tracking.
A researcher has decrypted AppLovin’s proprietary encryption protocol used in its ad mediation requests, revealing that detailed device data can be used to re-identify iPhone users across different apps, even when they have denied App Tracking Transparency (ATT). This undermines assumptions that ATT is the sole method for user identification and raises privacy concerns.
The researcher analyzed thousands of encrypted bid requests sent by AppLovin’s SDK, uncovering that each request contains a payload encrypted with a cipher built from a shared SDK key and a constant salt embedded in the SDK binary. The encryption uses a non-cryptographically secure pseudorandom number generator (SplitMix64), and the cipher does not include authentication, allowing potential tampering.
Decryption of these requests revealed a JSON payload containing extensive device information, including hardware identifiers, OS details, screen metrics, and other system properties. Notably, even when the user denies ATT and IDFA is zeroed, the payload still includes device-specific fingerprint data, enabling deterministic re-identification across apps and ad networks.
Why It Matters
This development challenges the common belief that ATT is the only barrier to user tracking on iOS devices. By exposing the encryption’s vulnerabilities and the detailed device data transmitted, it suggests that app developers and ad networks can still track users across apps without relying on identifiers like IDFA. This has privacy implications, potentially undermining user control over data sharing and consent.
![Ailun Privacy Screen Protector for iPhone 17e / iPhone 16e / iPhone 14 / iPhone 13 / iPhone 13 Pro [6.1 Inch] 2 Pack Anti Spy Private Tempered Glass Case Friendly [Not for iPhone 16 6.1 Inch]](https://m.media-amazon.com/images/I/41BTcRUr-ZL._SL500_.jpg)
Ailun Privacy Screen Protector for iPhone 17e / iPhone 16e / iPhone 14 / iPhone 13 / iPhone 13 Pro [6.1 Inch] 2 Pack Anti Spy Private Tempered Glass Case Friendly [Not for iPhone 16 6.1 Inch]
[2 Pack] This product includes 2 pack privacy screen protectors.WORKS FOR iPhone 17e/16e/14/iPhone 13/13 Pro 6.1 Inch tempered…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
AppLovin is a major player in mobile ad mediation, integrating multiple ad networks and demand partners into a single SDK. Its encryption protocol was believed to protect user privacy by obfuscating device data. However, the researcher’s analysis shows that the encryption, based on a predictable keystream generator and lacking authentication, can be decrypted, revealing sensitive device information. Prior to this, the industry widely relied on ATT and IDFA restrictions to limit user tracking, but this breach indicates alternative fingerprinting methods are still effective.
“The cipher used by AppLovin is vulnerable because it employs a keystream generator that does not pass cryptographic standards, allowing me to decrypt thousands of requests.”
— Researcher
“This discovery shows that even with ATT restrictions, detailed device data can be used to track users across apps, raising serious privacy concerns.”
— Privacy advocate
device fingerprinting privacy tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It remains unclear whether AppLovin is aware of this vulnerability or has taken steps to fix or patch the encryption protocol. The full scope of how widespread the tracking implications are across all AppLovin-powered apps is also still being assessed. Additionally, the potential for malicious tampering or further exploitation of the cipher has not been fully explored.
KeeYees USB Logic Analyzer Device with 12PCS 6 Colors Test Hook Clip Set USB Cable 24MHz 8CH 8 Channel UART IIC SPI Debug for Arduino FPGA M100 SCM
This kit contains 12pcs SMD IC 6 Colors Test Hook Clips which are ideal for using this 24MHz…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Further investigation is expected to determine whether AppLovin will update or replace its encryption protocol. Industry stakeholders may reassess privacy safeguards and consider alternative fingerprinting methods. Regulatory scrutiny could also increase if user privacy is compromised on a large scale.
SMARTDEVIL 2 Pack Tempered Glass for iPhone Air Privacy Screen Protector, Military-Grade Shatterproof Protection, 9H Hardness, Anti-Spy Privacy Film, Fast & Easy Installation, Case Friendly Design
Perfect Fit for iPhone Air:Engineered exclusively for iPhone Air with seamless edge-to-edge coverage, ensuring precise alignment and reliable…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Can this decrypted data be used to identify users across different apps?
Yes, the detailed device information can be used to deterministically re-identify users across multiple apps, even when ATT is denied.
Does this mean user privacy is compromised?
Potentially, yes. The decrypted data reveals that device fingerprinting can bypass some privacy restrictions, raising privacy concerns.
Has AppLovin responded to this discovery?
As of now, there is no public statement from AppLovin regarding this decryption or its implications.
Could this vulnerability be exploited maliciously?
Since the cipher lacks authentication, it could be tampered with, possibly enabling malicious actors to manipulate or extract data further.
Will this lead to regulatory action?
It is uncertain, but increased scrutiny from privacy regulators is possible if the tracking implications are confirmed to affect many users.
