Chinese ad network found in 1,200 iOS apps has major privacy concerns

Written 28 days ago by IanDorfman

As Apple becomes ever more privacy focused, it is important to remember that third party apps and services do not need to follow. Mintegral, an advertising network based in China, is under scrutiny based on a claim that it has been tracking users and committing advertisement fraud since July of 2019.

Danny Grander, the Co-Founder & Chief Security Officer of the Snyk digital security company, discussed his findings with John Koetsier on his TechFirst podcast. In it, he described the following apps as being included in the over 1,200 that utilize Mintegral for advertising:

Small Asphalt iconAsphalt
Small Helix Jump iconHelix Jump
Small PicsArt  iconPicsArt
Small Talking Tom iconTalking Tom
Small Subway Surfers iconSubway Surfers

According to Grander, these apps that utilize Mintegral's services average 300 million downloads monthly. In order to facilitate the ad fraud that Grander accuses Mintegral of, the ad network "hijacks" legitimate ads from other networks and attributes any potential click by the user as its own instead. This type of fraud is committed by the network over 20% of the time, and is the first of its kind seen on iOS apps.

Additionally, Mintegral can use the injected ads to track all of a user's http traffic and https-based requests and responses, as well as leak out the URL and headers of those pages. This can be used for tracking what a user clicks on and where that user ended up going.

Snyk has relayed information about Mintegral to Apple, who as of yet has not disclosed a public statement concerning the ad network's activities. Mintegral has released a statement rejecting the claims that includes the following:

"Today, we learned that allegations have been made suspecting that our SDK and advertising practices commit fraud and invade privacy. We would like to assure our clients and partners that these allegations are not true. ​We are taking this matter very seriously and are conducting a thorough analysis of these allegations and where they are coming from. We have and will continue to uphold the highest standards of data privacy for users and our customers."

"...in conjunction with Apple's upcoming iOS14 updates, we had already planned to deprecate this functionality in the SDK anyway."

Further coverage:
John Koetsier's blog
Forbes