Privacy review and violations
- Platform: iOS
- Region: Europe, under the territorial scope of GDPR
- Personalized ads consent: not given, not in the game, not in iOS settings
- Login: email + password
In the conditions above, my personal data is being shared with ad providers as soon as the game launches. It ranges from unique tracking IDs, to pure fingerprinting information and even my IP address. I will list ad providers and link to pastebins of unencrypted HTTPS traffic that includes URLs, request headers and payloads, response headers and payloads. In some cases, payloads are base64 encodings for which I have provided the decoded data. In other cases, an extra encryption layer prevents me from seeing what is being shared (I cannot imagine a scenario in which this encryption is necessary if not to hide privacy violations). These pastebins only serve to provide proof, I will not provide an exhaustive list of pinged URLs or the entire traffic. In most cases, I had to redact personal information and replace it with <removed> tags (including cookies, IP, ISP, country, city, zip code, geographical coordinates, mobile carrier, timezone, language, while various persistent or sessions IDs are only partially <removed> so that we can see how they are shared across the board). Other fingerprinting info is left intact as they are only useful to them.
- Facebook - On launch, without connecting to Facebook, the game shares some data with Facebook via 2 endpoints. Even though the IP is not shared as far as I can tell (there is a fairly large encoded payload in one of the headers which I cannot read), but sufficient data is given to allow identification. An immediate red flag is sharing my available disk space among other things, which, like battery status, is a well known piece of information used in fingerprinting with major success. After these 2 payloads are sent, Facebook replies with the result of my identification, which, among other data, includes my IP.
Here are the 2 requests and responses:
- Isprog.com is given screen width, height, model, country, version numbers, various IDs and the IP address
GET https://wins.isprog.com/lb (new lines are added after each URL parameter for readability)
- AdColony - everything about the screen, everything about the device, country, carrier country, platform, language, timezone, time, locale, version numbers, various IDs including one that is being shared with multiple providers, battery level + encrypted payloads. The result is that AdColony eventually responds with details about me such as: country, region/city, zip code, IP, ISP, etc.
One of these responses also includes a list of available endpoints, and one of them is meant for reporting in-app purchases. I have not made a purchase to see if purchase info is sent anywhere.
POST https://events3alt.adcolony.com/t/5.0/session_start - encrypted payload
POST https://iosads4-6.adcolony.com/configure - IP response at the end
POST https://wd.adcolony.com/logs - more of this sensitive info is sent to this /logs endpoint, I guess for logging?
- IronSrc - IronSource itself logs some info related to the device and platform, including a device ID hash and "application user ID" that's shared with some of the other ad providers.
GET https://logs.ironsrc.mobi/logs - decoded payload
- Supersonicads - now owned by IronSource, much of the communication is further encrypted and unreadable. Small parts of the payload are redacted in case anyone happens to decode/decompress/decrypt them, but do let me know if you have thoughts on this - it's possible some of them are actual ads, precached on the client. Various IDs, keys and country code are readable in the URL parameter list in some requests, but most info is shared in that last request below, which includes: tracking IDs, city, country, carrier, ISP, language, device info, screen info, free disk space, small encoded payload, etc.
GET https://outcome-cdn.supersonicads.com/rewarded-video/iab-notification/win/<id> - tracking info here
GET https://networksdk.ssacdn.com/mobileSDKController/mobileController.html - an HTML page being fetched which includes a script that does something, possibly gets executed when ads are run - I did not dig through it.
- Swrve - user ID, session token, unique device ID, device info, screen info, timezone, country, city, a so called "iOS token", some version numbers, and OS install date (how many in your town installed the exact same iOS on the exact same iPhone model at the exact same second?)
- Doubleclick / Google - everything about device and screen, version numbers, many different IDs with no indication of what they mean, and a couple of encoded payloads. Aside from that last thing, this looks really clean relatively speaking (no language, timezone, country, locale, carrier, etc.)
GET https://googleads.g.doubleclick.net/mads/gma - most data shared here
- AppsFlyer - an app id that is also shared with Supersonicads and Isprog, but the bulk of the information is encrypted. This endpoint is pinged just about every other action taken in the game.
I have decided to share this information because this looks unacceptable to me. I do not know what WRG's privacy review entailed the last time the disreputable IronSource was a hot topic, but my findings directly contradict what we have been told before, and we clearly haven't been told everything.
Also from WRG:
PS: If I forgot to redact some personal info, please let me know in a DM.
This discussion has been closed.