TL;DR
A researcher has decrypted AppLovin’s mediation cipher, revealing that device data can be used to re-identify iPhones across apps despite user denial of ATT. The attack exposes privacy vulnerabilities in ad mediation traffic.
A researcher has decrypted AppLovin’s encryption protocol for ad-mediation requests, revealing that device data can be used to re-identify iPhones across multiple apps, even when users deny App Tracking Transparency (ATT). This development challenges assumptions about user privacy protections in mobile advertising.
The researcher captured and decrypted over 5,000 AppLovin mediation envelopes, uncovering that the encrypted payload contains enough device information to deterministically re-identify an iPhone regardless of ATT status. The encryption involves a custom cipher using a shared SDK key and a fixed salt, but it lacks cryptographic robustness, making tampering possible.
Decrypted data include detailed device info—such as hardware model, OS version, RAM, locale, and system properties—along with opaque tokens from multiple ad networks. The encryption process relies on a predictable timestamp and a non-authenticated cipher, which allows the researcher to recover the plaintext reliably. The payload is gzip-compressed JSON, containing both device fingerprints and ad signals, which are sent to multiple ad networks every 30 seconds during app use.
Why It Matters
This discovery demonstrates that device fingerprinting remains effective even when users deny tracking via ATT, undermining one of the primary privacy protections in iOS. It raises concerns about the extent of user data collection and re-identification in mobile advertising, potentially impacting privacy regulations and user trust.
![Ailun Privacy Screen Protector for iPhone 17e / iPhone 16e / iPhone 14 / iPhone 13 / iPhone 13 Pro [6.1 Inch] 2 Pack Anti Spy Private Tempered Glass Case Friendly [Not for iPhone 16 6.1 Inch]](https://m.media-amazon.com/images/I/41BTcRUr-ZL._SL500_.jpg)
Ailun Privacy Screen Protector for iPhone 17e / iPhone 16e / iPhone 14 / iPhone 13 / iPhone 13 Pro [6.1 Inch] 2 Pack Anti Spy Private Tempered Glass Case Friendly [Not for iPhone 16 6.1 Inch]
[2 Pack] This product includes 2 pack privacy screen protectors.WORKS FOR iPhone 17e/16e/14/iPhone 13/13 Pro 6.1 Inch tempered…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
Prior to this, Apple’s ATT framework was believed to be the main barrier to persistent device tracking across apps. AppLovin, a major ad mediation platform, encrypts bid requests with a custom cipher, which was thought to obscure device data. This research shows that the cipher’s design is vulnerable, and the data within can be decrypted with sufficient effort. The encryption uses a predictable timestamp and a cipher based on a non-cryptographically secure PRNG, making it susceptible to decryption and analysis.
“The encrypted bid request carries enough device data to deterministically re-identify the same iPhone across apps from different publishers, even when user denies ATT.”
— Researcher
“The cipher used by AppLovin lacks cryptographic integrity, making it vulnerable to tampering and decryption, which can compromise user privacy.”
— Security expert
device fingerprinting privacy protection
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It remains unclear how widespread the use of this encryption protocol is across all AppLovin SDK deployments, or whether AppLovin is aware of these vulnerabilities. The full scope of potential misuse or data exploitation is still under investigation, and it is not confirmed whether AppLovin has taken steps to patch or improve the cipher.
Mobile Cell Phone Repair Tools Kit, 7Pieces Metal Spudger Pry Tool Antistatic Spudger Plastic Metal Pry Opening Tool for Electronics Repair Smartphone Laptop Hand Open Replace Screen Battery
【Ultra-Thin Ergonomic Design】: This electronics repair tool features a 0.1mm thin steel spudger with laser-cut precision edges that…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Further analysis is expected to determine if other ad networks use similar encryption schemes and whether the decrypted data can be used for large-scale device re-identification. Regulatory scrutiny and privacy audits may follow, and AppLovin might need to update its SDK security measures.
TIESZEN for iPhone 15 Case, Compatible with MagSafe, Built-in Privacy Screen Protector and Camera Protection, Anti Spy Full Body Dustproof Shockproof Hard Phone Case 6.1", Black
[Superior Magnetic Attraction] TIESZEN for iPhone 15 magnetic case is equipped with powerful magnets, perfectly compatible with magsafe…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Can this decryption be used to track users across apps?
Yes, the decrypted device data can be used to re-identify the same iPhone across different apps, even without ATT consent.
Does this mean AppLovin’s encryption is insecure?
Based on the research, the encryption scheme is vulnerable because it lacks cryptographic integrity and relies on predictable elements like timestamps.
What are the privacy implications of this breach?
The breach shows that device fingerprinting can bypass user privacy controls, potentially enabling persistent tracking without user awareness.
Will AppLovin respond or fix this vulnerability?
This is currently unknown; further investigation is needed to determine if the company is aware and planning to address the issue.
