AppLovin’s mediation traffic hides behind a custom double‑layer cipher, yet a researcher broke the scheme and decrypted more than 5,000 requests from five apps. The payload carried a full iPhone fingerprint—model, OS, RAM, screen size, battery state, even when users declined Apple’s ATT. The breach shows that device data can be re‑identified without IDFA today.

Inside the TLS tunnel, AppLovin wraps the POST payload in a second cipher that uses a 32‑byte constant salt and the app‑specific SDK key. The derived key feeds a SplitMix64‑based keystream, and the counter is the system clock in milliseconds. No MAC or AEAD protects the ciphertext, so an attacker can tamper with the data.

Every banner load triggers a single external call that carries the encrypted bundle to AppLovin’s server, which then forwards opaque tokens to roughly twelve demand‑partner networks. Even when IDFA is zeroed, the device_info field exposes 30+ system properties, and tokens from InMobi, BidMachine, and others leak disk space, battery level, and a cross‑app identifier today.

AppLovin assigns a persistent api_did on first SDK init, caching the server‑issued device_id and sending it back on every request. The combination of a leaked fingerprint, a cross‑app ID, and the absence of integrity checks means advertisers can track users across apps without consent. The exposure underscores the need for stronger cryptographic safeguards in ad mediation.