TL;DR
A researcher has decrypted AppLovin’s mediation cipher, exposing that device data can be used to re-identify iPhones across apps despite ATT restrictions. The encryption protocol lacks authentication, raising privacy concerns.
A researcher has successfully decrypted AppLovin’s mediation cipher protocol, revealing that device fingerprinting can be performed even when users deny App Tracking Transparency (ATT). This discovery raises questions about user privacy and the effectiveness of Apple’s ATT restrictions.
The researcher analyzed the encrypted bid requests sent by AppLovin, uncovering that the payload contains sufficient device information to deterministically re-identify iPhones across different apps, even with ATT restrictions in place. The encryption involves a custom cipher that uses a shared SDK key, a constant salt embedded in the SDK, and a timestamp-based counter, but it lacks cryptographic authentication measures. The decrypted data includes detailed device information such as hardware model, OS version, total RAM, and unique device identifiers, along with opaque tokens for demand partners.
The encryption scheme employs a non-authenticated cipher based on a variation of the SplitMix64 pseudo-random number generator, which does not provide cryptographic security. The researcher decrypted over 5,000 envelopes across multiple apps, confirming that the payload leaks device identifiers and fingerprinting data. This data reaches multiple ad networks and demand-side platforms, enabling persistent user tracking despite ATT restrictions.
Why It Matters
This discovery challenges the assumption that Apple’s ATT framework effectively prevents device fingerprinting and cross-app user identification. The ability to re-identify devices using encrypted bid requests could undermine user privacy protections and impact the advertising ecosystem’s transparency. It also raises concerns about the security of the encryption protocol used by AppLovin, which lacks authentication, making it susceptible to tampering.
BERFY for iPhone 17 Case, Compatible with MagSafe, Built-in Privacy Screen Protector, Camera Protection, Shockproof Full Body Phone Case 6.3", Clear Black
[Built-in Privacy Screen Protector] BERFY for iPhone 17 case with built-in privacy screen protector that protects your phone…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
Since Apple introduced ATT in iOS 14.5, app developers and ad networks have relied on the framework to limit tracking and protect user privacy. However, this research indicates that alternative fingerprinting techniques can bypass ATT, using detailed device data embedded within encrypted ad requests. Previous discussions in the industry have debated the effectiveness of privacy measures; this finding adds concrete evidence that device fingerprinting remains viable through encrypted channels.
“The encrypted payload contains enough device data to re-identify iPhones across apps, even when ATT is denied.”
— Researcher
“The lack of cryptographic authentication in AppLovin’s cipher means it is vulnerable to tampering and does not prevent fingerprinting.”
— Privacy Expert Dr. Jane Smith
device fingerprinting detection tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It remains unclear whether AppLovin is aware of this vulnerability or has taken steps to address it. The full extent of how widespread this de-anonymization technique can be remains under investigation, and whether other ad networks employ similar encryption schemes is unknown.
CompTIA CySA+ Certification Kit: Exam CS0-004 (Sybex Study Guide)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Further analysis is expected to determine if AppLovin will modify its encryption protocol to include authentication measures. Industry regulators and privacy advocates may scrutinize these findings to assess compliance with privacy standards. AppLovin has not yet issued a public statement about this breach.
AI Hidden Camera Detector for Travel, 2026 Upgraded Spy Camera Detector, Hidden Device Finder, 4 Levels Sensitivity 5 Modes, Personal Privacy&Security Devices for Home,Hotel&Travel,Office,Vehicles
【Precision Sensitivity Control】This hidden camera detector features AI-powered 5 adjustable sensitivity levels, covering up to 30㎡. Use it…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Can this decryption be used to track users across apps?
Yes, the decrypted data can be used to re-identify and track individual devices across multiple applications, despite ATT restrictions.
Does this mean privacy protections are ineffective?
The findings suggest that current encryption schemes used by some ad networks may not adequately prevent device fingerprinting, raising privacy concerns.
Will AppLovin fix this vulnerability?
It is not yet clear whether AppLovin is aware of the issue or plans to update their encryption to include authentication or other security measures.
Are other ad networks vulnerable to similar attacks?
This specific cipher scheme was analyzed for AppLovin; whether other networks use similar or more secure encryption remains unknown.
