I recently stumbled upon an intriguing study on the Timsh org website, where the author dissected how applications collect and transmit your data. The experiment employed an old iPhone device and intercepted traffic. A certain random application was installed on the phone for the experiment—it was Stack by KetchApp. The author intercepted the traffic and observed what was transmitted from the application to the outside world. A lot of data was transmitted, even when answering “no” to the question “Allow tracking?”.
Specifically, the IP address (which allows your location to be determined via reverse DNS), approximate geolocation (even with geolocation services disabled),
device model, battery charge level, screen brightness level, amount of free memory, and other parameters.
The data does not go to the company that created the application, but rather to various third parties. That is, these third parties collect data from most of the applications on your phone, and the data flows occur every time the application operates.
The author writes about two major groups of players – SSP and DSP.
SSP (Supply-Side Platforms) include those that collect data from the application—Unity Ads, IronSource, Adjust. There are also DSPs (Demand-Side Platforms), which manage advertising auctions, such as Moloco Ads, Criteo.
Advertisers gain access to the data through DSPs. Data brokers—aggregate and sell data. For example, Redmob, AGR Marketing Solutions. The latter sells databases that include PII, such as name, address, phone number, and even advertising identifiers (IDFA/MAID).
What data is sent? For instance, that Stack app from KetchApp sent to Unity Ads the geolocation (latitude, longitude), IP address (including server IPs, for example, Amazon AWS), unique device identifiers: IDFV (identifier for a specific developer) and IDFA (advertising identifier), as well as other additional parameters like the model of the phone, battery level, memory status, screen brightness, headphone connection, and even the exact system load time.
At DSPs, a RTB (real-time bidding) system exists for selling information. Data is transferred from the app via SSP (such as Unity Ads), and then to DSP (such as Moloco Ads), where auctions are held in real time to display relevant advertising. At each stage, data is transmitted to dozens, if not hundreds, of companies.
Yes, by answering “I do not want to share data,” you only deactivate the sending of IDFA (advertising identifier), but other data, such as IP address, User-Agent, and geolocation, and all these phone model and free memory, are still transmitted. Combined, they serve as a fingerprint at the moment, just like the advertising identifier. If desired, applications can still identify you by many parameters: IP address, device model, OS version, fonts, screen resolution, battery level, time zone, and other data, as they receive this information from hundreds of other places. Another question is that “end applications” do not need this, it is not free, but those who show you ads need this, and they have this info. And, of course, various special services can easily access it if necessary.
If you use several apps from one developer, the IDFV identifier allows linking data from all the apps.
Perhaps it’s not a secret at all, but almost every app sends data to Facebook (Meta) without asking for the user’s consent. That is, if you have Facebook on your phone, then bingo, any data from any other apps begin to be tagged with your profile, even if you have forbidden sharing information in those apps.
Companies exchange user data with each other. For instance, Facebook exchanges information with Amazon, Google, TikTok, and mobile SDKs (such as Appsflyer, Adjust) perform cross-linking of users between different services because such exchanges enhance the value and quality of information immediately for all participants.
Meanwhile, it turned out that Unity, which actually deals with 3D engines for games, primarily earns from selling these collected data. Specifically, in 2023, they had revenue from this direction amounting to $2 billion (“Mobile Game Ad Network”). In 2022, Unity absorbed IronSource — another giant of mobile advertising. IronSource deals with analyzing user behavior and optimizing monetization, as well as selling data to advertisers. Now, Unity through LevelPlay can manage not just ad placement but also data aggregation, selling them to other companies.
A significant portion of mobile games are created on Unity, especially free-to-play games. This allows Unity to have access to data from millions of devices globally, even without explicit user consent. Developers often do not realize how deeply Unity tracks data in their games.
Conclusion: disabling ads or prohibiting tracking at the OS level is just a minor obstacle. Data about you is still being collected, analyzed, and transmitted to hundreds of companies.
See the link below
Hi, I'm Rauf Aliev. 