I broke AppLovin's mediation cipher protocol
Key takeaways
- I broke the cipher App Lovin wraps around its ad-mediation traffic and decrypted several thousand real requests captured on my consented mobile-traffic research panel.
- Every AppLovin mediation request is HTTPS POST sent to ms4.applovin.com/1.0/mediate.
- 2:8a2387b7dbed018e5e485792eac2b56833ce8a3a:T7NreIR729giTKR-thJPcKeT6JXevACogl57SIFzwKp-1BASwpBT6v:<binary>Three colon-separated fields then ciphertext:
I broke the cipher App Lovin wraps around its ad-mediation traffic and decrypted several thousand real requests captured on my consented mobile-traffic research panel. The conclusion is straightforward: The encrypted bid request carries enough device data to deterministically re-identify the same i Phone across apps from different publishers, even when user denies ATT. That payload reaches App Lovin plus around 12 downstream ad networks on every banner load, every ~30 seconds, for as long as the user is playing. The assumption that ATT is the only way to deterministically identify a user is wrong. Fingerprinting the device works just as well.
Every AppLovin mediation request is HTTPS POST sent to ms4.applovin.com/1.0/mediate. Inside the TLS layer, the payload is wrapped in a second cipher AppLovin built. After base64 decoding, the wire envelope is:
2:8a2387b7dbed018e5e485792eac2b56833ce8a3a:T7NreIR729giTKR-thJPcKeT6JXevACogl57SIFzwKp-1BASwpBT6v:<binary>Three colon-separated fields then ciphertext: