May 15, 2026
Your phone’s secret identity crisis
I broke AppLovin's mediation cipher protocol
Even with Apple tracking turned off, commenters say your phone may still be easy to spot
TLDR: A researcher says he decoded AppLovin ad requests and found enough hidden device details to recognize the same iPhone across apps, even after a user refuses tracking. Commenters were especially rattled that things like boot time may help make phones uniquely identifiable, turning Apple’s privacy promise into a heated debate.
This story landed like a privacy horror movie in the comments: a researcher says he cracked the extra lock AppLovin puts around its ad traffic and found that iPhones can still be recognized across different apps even when users say no to tracking. In plain English, every ad refresh may be sending a rich bundle of device details out to AppLovin and a crowd of partner ad companies. That’s the part making readers do the internet equivalent of clutching their pearls.
The biggest reaction? "So ATT doesn’t really save you?" That was the mood hanging over the thread. Apple’s App Tracking Transparency, the pop-up that asks apps not to track you, is supposed to give users control. But commenters zeroed in on the claim that a device can still be singled out using a pile of tiny clues instead. The standout gasp came from notfried, who was stunned that Apple appears to expose device boot time at all, calling out how rarely people reboot iPhones and how that could make a phone easier to recognize. Translation: one weird little detail may be far more identifying than most people realize.
The drama here isn’t just "company uses data" — the community mood is "the whole privacy promise may be shakier than advertised." There’s a darkly funny undertone too: the classic tech-comment-section joke that your phone knows you better than your friends do. Under the snark, though, the vibe is real alarm: readers see this as another reminder that turning off tracking may not mean you’ve actually disappeared.
Key Points
- •The article claims AppLovin’s custom mediation cipher can be reversed, enabling decryption of thousands of real ad-mediation requests captured from consented devices.
- •The decrypted bid requests are said to contain enough device data to deterministically re-identify the same iPhone across different publisher apps even when ATT is denied.
- •The article describes the cipher as using a universal baked-in salt, a publisher SDK key stored in app files, SHA-256 key derivation, and a SplitMix64-based keystream.
- •The author states the protocol lacks MAC/AEAD authentication and leaks the device wall-clock encryption time through its counter design.
- •The decrypted payload is described as gzip-compressed JSON containing fields such as `device_info` and `signal_data[]`, with roughly 50 device fingerprint-related fields and partner-network tokens.