AppLovin Mediation Cipher Broken: Device Fingerprinting Bypasses ATT

A deep dive into AppLovin's ad-mediation protocol has exposed a custom cipher that fails to protect user privacy. The researcher decrypted over 5,000 real bid requests captured from consenting users and found that the encrypted payload transmits enough device data to uniquely identify an iPhone across apps from different publishers — even when the user has denied App Tracking Transparency (ATT) permission.
How the Cipher Works
Each mediation request is an HTTPS POST to ms4.applovin.com/1.0/mediate. Inside the TLS layer, a second cipher wraps the payload. After base64 decoding, the wire format is three colon-separated fields + ciphertext:
2:8a2387b7dbed018e5e485792eac2b56833ce8a3a:T7NreIR729giTKR-thJPcKeT6JXevACogl57SIFzwKp-1BASwpBT6v:<binary>
Fields:
- Version tag (
2) - 40-character protocol ID —
sha1(salt).hex() - 54-character suffix of the publisher's AppLovin SDK key (stored in plaintext in
Info.plistorAndroidManifest.xml)
The cipher takes two ingredients: a 32-byte constant salt baked into every SDK binary (21 meaningful bytes + 11 zero bytes, identical across multiple apps and platforms) and the per-publisher SDK key. The derived key is SHA-256(salt || sdk_key[:32]). The keystream is generated using SplitMix64, a non-cryptographic PRNG. The counter is System.currentTimeMillis() XOR'd with the first 8 bytes of the derived key — leaking wall-clock time on the wire before decryption. No MAC or authentication is applied, meaning an attacker can tamper with ciphertext.
What Gets Shipped
The decrypted plaintext is gzip-compressed JSON with ~30 top-level keys. The critical ones:
device_info— AppLovin's own fingerprint payload with ~50 fieldssignal_data[]— opaque tokens from each demand-partner SDK
An example from a request where ATT was denied (IDFA zeroed):
Field Value What it is
revision iPhone14,3 Hardware model (iPhone 13 Pro Max)
os 18.6.2 OS version
tm 5918212096 Total RAM (5.51 GB)
ndx / ndy 1284 × 2778 Native screen pixels
kb en-US,es-ES Installed keyboards
font UICTContentSizeCategoryXXXL Accessibility text size
tz_offset -4 Timezone
volume 40 System audio volume
mute_switch 1 Physical mute switch
bt_ms_2 1770745989000 Device boot time (ms epoch)
dnt / idfa true / 00000… ATT denied
idfv 81E958C3-…-51DE7CE11819 Vendor ID (stable across apps)
Additional fields include safe-area insets, free memory, carrier code, country code, locale, orientation, status bar height, monotonic clock, battery flags, and secure-connection state. This is effectively every system property accessible to third-party code.
Downstream Exposure
A typical publisher includes ~18 demand SDKs (Meta, Google, Mintegral, Vungle, ironSource, Unity, InMobi, BidMachine, Fyber, Moloco, TikTok, Pangle, Chartboost, Verve, MobileFuse, Bigo, Yandex, plus AppLovin's own). On every banner load (~30 seconds), the AppLovin SDK passes the decrypted device payload to each of these downstream networks, enabling cross-app user tracking without ATT consent.
Implications
The assumption that ATT alone prevents deterministic identification is false. Device fingerprinting via the leaked fields works just as well. The lack of authentication in the cipher layer also raises integrity concerns.
📖 Read the full source: HN AI Agents
👀 See Also

From Farm to Code: How a Farmer Created an Open-Source Runtime Defense for OpenClaw
Discover how a farmer, with no prior development experience, created an open-source runtime defense for OpenClaw using multiple AI coding agents in just 12 hours.

SupraWall MCP Plugin Blocks Prompt Injection Attacks on Local AI Agents
SupraWall is an MCP plugin that intercepts and blocks sensitive data exfiltration attempts from AI agents, demonstrated in a red-team challenge where it prevented credential leaks via prompt injection attacks.

Analysis of Claude Code's Instrumentation and Telemetry Capabilities
A source code analysis reveals Claude Code implements extensive behavior tracking including keyword-based sentiment classification, permission prompt hesitation monitoring, and detailed environment fingerprinting.

Malicious Google Ad Targets Claude Code Installation
A malicious Google ad appears as the top result for 'install claude code' searches, attempting to trick users into running suspicious terminal commands. The ad was still active as of March 15, 2026, and the author narrowly avoided executing the code.