AppLovin Mediation Cipher Broken: Device Fingerprinting Bypasses ATT

A deep dive into AppLovin's ad-mediation protocol has exposed a custom cipher that fails to protect user privacy. The researcher decrypted over 5,000 real bid requests captured from consenting users and found that the encrypted payload transmits enough device data to uniquely identify an iPhone across apps from different publishers — even when the user has denied App Tracking Transparency (ATT) permission.

How the Cipher Works

Each mediation request is an HTTPS POST to ms4.applovin.com/1.0/mediate. Inside the TLS layer, a second cipher wraps the payload. After base64 decoding, the wire format is three colon-separated fields + ciphertext:

2:8a2387b7dbed018e5e485792eac2b56833ce8a3a:T7NreIR729giTKR-thJPcKeT6JXevACogl57SIFzwKp-1BASwpBT6v:<binary>

Fields:

• Version tag (2)
• 40-character protocol ID — sha1(salt).hex()
• 54-character suffix of the publisher's AppLovin SDK key (stored in plaintext in Info.plist or AndroidManifest.xml)

The cipher takes two ingredients: a 32-byte constant salt baked into every SDK binary (21 meaningful bytes + 11 zero bytes, identical across multiple apps and platforms) and the per-publisher SDK key. The derived key is SHA-256(salt || sdk_key[:32]). The keystream is generated using SplitMix64, a non-cryptographic PRNG. The counter is System.currentTimeMillis() XOR'd with the first 8 bytes of the derived key — leaking wall-clock time on the wire before decryption. No MAC or authentication is applied, meaning an attacker can tamper with ciphertext.

What Gets Shipped

The decrypted plaintext is gzip-compressed JSON with ~30 top-level keys. The critical ones:

• device_info — AppLovin's own fingerprint payload with ~50 fields
• signal_data[] — opaque tokens from each demand-partner SDK

An example from a request where ATT was denied (IDFA zeroed):

Field         Value                What it is
revision      iPhone14,3           Hardware model (iPhone 13 Pro Max)
os            18.6.2               OS version
tm            5918212096           Total RAM (5.51 GB)
ndx / ndy     1284 × 2778          Native screen pixels
kb            en-US,es-ES          Installed keyboards
font          UICTContentSizeCategoryXXXL  Accessibility text size
tz_offset     -4                   Timezone
volume        40                   System audio volume
mute_switch   1                    Physical mute switch
bt_ms_2       1770745989000        Device boot time (ms epoch)
dnt / idfa    true / 00000…       ATT denied
idfv          81E958C3-…-51DE7CE11819  Vendor ID (stable across apps)

Additional fields include safe-area insets, free memory, carrier code, country code, locale, orientation, status bar height, monotonic clock, battery flags, and secure-connection state. This is effectively every system property accessible to third-party code.

Downstream Exposure

A typical publisher includes ~18 demand SDKs (Meta, Google, Mintegral, Vungle, ironSource, Unity, InMobi, BidMachine, Fyber, Moloco, TikTok, Pangle, Chartboost, Verve, MobileFuse, Bigo, Yandex, plus AppLovin's own). On every banner load (~30 seconds), the AppLovin SDK passes the decrypted device payload to each of these downstream networks, enabling cross-app user tracking without ATT consent.

Implications

The assumption that ATT alone prevents deterministic identification is false. Device fingerprinting via the leaked fields works just as well. The lack of authentication in the cipher layer also raises integrity concerns.