Analysis of iOS Games tracking traffic

A little while ago, I spent a weekend analyzing a wide cross-section of applications from the iOS app store across all categories. You can read that right here. One specific topic that I had comments and questions about specifically was the games. The iPad, as an example, is not a bad gaming platform. And I know a lot of people who play free iPad games, and let their kids play them. So I figured I’d do a bit of a bigger dive into that specific category of applications and see what sort of information they track about you and your device.

I downloaded the top 25 applications on the games section of the iOS application store as of July 20th, 19:00 GMT. The list goes as following, with the number of outbound connections to different sites the application makes:

  • Fish with Attitude            14
  • CSR Racing                          8
  • Water? Free                        7
  • Battle Bears Royale         6
  • Ice Age Village                  5
  • Mutant Roadkill                5
  • Angry Birds Space Free 4
  • Fix-It Felix                          4
  • Shark Dash                           4
  • The Sandbox                       4
  • Flick Kick Football           3
  • Magic Puzzles                     3
  • SongPop Free                     3
  • Flow                                       3
  • Arms Cartel                        2
  • Betrayal HD                        2
  • My School Dance             2
  • Pyramid Run                     2
  • Super Pretzle Factory   2
  • Temple Run                       2
  • Bakery Store                     1
  • Bubble Mania                   1
  • Guess!                                  1
  • Subway Surf                     1
  • Major Mayhem               0

Here are some quick stats:

  • 25 applications
  • 48 different urls were used to track different information about the device
  • The application to communicate with the most servers was Fish with Attitude, talking to 14 different sites
  • The application to communicate with the least servers was Major Mayhem, being the only to not send any tracking information about the device
  • 11 of the servers were contacted over HTTPS (23%)
  • 37 of the servers were contacted over HTTP (77%)

Tracking sites top 10
Here is the top 10 of the different URLs that were observed to track information about the device:

-                         15
-              9
-                           4
-                     4
-                               3
-                  3
-       2
-                     2
-   2
-  2

As we can see, there are a lot of similarities between this data and that of the Overview of iOS tracking traffic analysis. Flurry, Chartboost, and Tapjoy are again back, being extremely popular. Please see the previous article for analysis of the requests made by these.

Analysis of the other sites
Between the top 10 sites as listed above, here is what is being tracked by them.

  • Specific events in the game
  • OS version
  • Device version
  • Mac Address
  • Local IP Address
  • Mobile carrier
  • Unique identifiers
  • Radio type (WiFi or 3G)
  • Timezone
  • OS locale
  • Application identifier
  • Application version
  • Screen resolution and orientation
  • Time stamp

The big pictures is owned by the company “Burstly”. It is used for developers to sell applications to be shown in their applications. It communicates over plain HTTP, and will track a lot of different values about your device.

There are two hashed/encrypted fields, seemingly being related to the mac address of the device. Also it seems to be carrying across, or at least have keys allocated for, the IP address and carrier of the device. Neither were sent across for my device, possibly because it’s a WiFi iPad. But I found that very interesting. Beyond that:

  • Platform
  • Carrier
  • Device type
  • OS Version
  • OS Locale
  • Screen resolution
  • Application build
  • Device Family
  • Unique Identifier
  • Application identifier
  • Location country
  • Radio type (WiFi/3G)
  • encMAC(Encrypted mac?)
  • IP Address
  • mac(Hashed mac address?)
Apsalar is a “mobile app analytics” platform, specifically focused as measuring “engagement”. It communicates over HTTP as well, and is very chatty. For instance, Battle Bears Royal made 13 requests over a period of 9 seconds. It specifically will also call back on specific events, such as game opened and other developer-specified events.

There appears to be a lot of encoded data sent across by this particular system. So we can’t see that much from this, but we can tell a few times:

  • Application identifier
  • Locale date
  • Radio type (WiFi in this case)
  • Platform
  • And then a lot of seemingly hashed data I can’t make very much out of.
Playhaven is a marketing platform for mobile games. It communicates over HTTP, and passes over the device UDID and a mac address.

We see that this sends across a nonce, which is quite interesting. These are generally used to prevent Cross-Site Request Forgery. It also transmits:

  • Mac Address
  • Device version
  • Unique identifier
  • A nonce
  • OS version
  • Application identifier
  • Connection (Radio type?)
  • A token
  • A signature
  • Application version
Gameloft is a game developer which develops, publishes and distributes games for smartphones. Their games all talk to a couple of different domains. All of them are HTTP, but one application communicated with the livewebapp subdomain over both HTTP and HTTPS.

What is interesting in this case is that the first request, which says that the application is loading, has all data in plain text. The second request is sending across an “id”. But this ID is in fact simply a base64 encoded string of the very same data as that above. But we can tell it sends:

  • Application identifier
  • Country
  • Language
  • Application version
  • Device version
  • OS version
  • Mac Address (Unique identifier)
  • A timestamp
Openfeint is probably the biggest social networking component used by major games. It adds features such as leaderboards, friends lists, and such thing. It communicates over HTTPS, as you’d expect from any sort of application that communicates large amount of data about your device.

## ##
Doubleclick is your standard Google advertising platform. No sort of magic here. But for whatever reason, Google has opted to use HTTP here over HTTPS, which is very interesting.

It has a bit of seemingly hashed/encrypted content. And then a bunch of the normal content:

  • Language
  • Screen resolution
  • Device model
  • Application identifier
This one is a bit tricky. I was unable to easily locate a privacy policy for this service specifically. The domain it uses redirects directly to the Tap Tap Revenge Facebook page, which was the first game made by Tapulous. The company was acquired by Disney Interactive Studios in 2010, which explains why it is being used by a Disney application. But it communicates over HTTP, and is extremely verbose due to the use of POST forms rather than query-string parameters.

This tracks these values at specific events, much like Apsalar.

  • Method called
  • A signature
  • OS version
  • A token
  • Time stamp
  • Device version
  • API Key, but that seems to be a dummy one
  • Time Zone
  • Application version

Leave a Reply