I broke AppLovin's mediation cipher protocol
4 hours ago
- #privacy
- #ad-tech
- #fingerprinting
- AppLovin's encrypted ad-mediation protocol, using a custom cipher, allows deterministic re-identification of iPhones across apps even when ATT is denied.
- The cipher uses a universal salt and per-publisher SDK key, lacking cryptographic security, and leaks device timestamps in every request.
- Decrypted payloads include extensive device fingerprint data (e.g., hardware model, OS version, screen specs, RAM) and bidder tokens sent to multiple ad networks.
- Observations show that ATT denial only zeros IDFA, but device fingerprinting remains effective, with unique hashes identifying devices across different apps.
- AppLovin's api_did field respects ATT, but downstream ad networks collect additional data (e.g., disk space, battery level) enabling cross-app tracking.
- The protocol enables privacy risks as fingerprint data reaches AppLovin and about 12 ad networks per banner load, circumventing ATT's intended protections.