<b>IpAddress":"fXXX...XXX9%eth0"</b>,...</span></p>
<p>According to <a href="http://whois.domaintools.com/appads.com">whois
records</a>, the registrant organization of neptune.appads.com is
Burstly, Inc. Therefore, the aforementioned information is
actually transmitted to Burstly. It Both PCaps contain the keyword
crParms. This keyword is also used in the source code to put
personal information into a map sent as a payload.</p>
<p>Skyrocket.com is an <a href="http://www.insidemobileapps.com/2013/05/21/burstly-restructures-company-and-opens-skyrocket-to-all-mobile-developers/" target="_blank">app
monetization service provided by Burstly</a>. The following PCap
shows that Angry Birds retrieves the customer ID from
Skyrocket.com through an HTTP GET request:</p> <p>
<span>HTTP/1.1 200
OK</span></p> <p>
<span>Cache-Control:
private</span></p> <p>
<span>Content-Type:
text/html</span></p> <p>
<span>Date: Thu, 06
Mar 2014 07:12:25 GMT</span></p> <p>
<span>Server:
Microsoft-IIS/7.5</span></p> <p>
<span>ServerName:
P-ADS-OR-WEBA #5</span></p> <p>
<span>X-AspNet-Version:
4.0.30319</span></p> <p>
<span>X-Powered-By:
ASP.NET</span></p> <p>
<span>X-ReqTime:
2</span></p> <p>
<span>X-Stats:
geo-0</span></p> <p>
<span>Content-Length:
9606</span></p> <p>
<span>Connection:
keep-alive</span></p> <p>
<span>GET
/7.4/ad/image/1...c.jpg HTTP/1.1</span></p> <p>
<span>User-Agent:
Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300
Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0
Mobile Safari/534.30</span></p> <p>
<span>Host:
cdn.skyrocketapp.com</span></p> <p>
<span>Connection:
Keep-Alive</span></p> <p>
<span>{"type":"ip","Id":"9XXX8",..."data":[{"imageUrl":"http://cdn.skyrocketapp.com/79...2c.jpg","adType":{"width":300,
"height":250, "extendedProperty":80},
"dataType": 64,
"textAdType":0,"destType":1,"destParms":"","cookie":[{"name":"fXXXg",
"value":
"ref=1XXX2&cr<b>1XXX8</b>=2,1&cr1XXX8=1&aoXXX8=",
"path":"/", "domain":
"neptune.appads.com", "expires":"Sat,
05 Apr 2014 XXX GMT", "maxage": 20},
{"name":"vw","value":"ref=1XXX2&...},...,"cbi":"http://bs.serving-sys.com/Burstin...25&rtu=-1","cbia":["http://bs.":1,"expires":60},..."color":{"bg":"00"},
"isInterstitial":1}</span></p> <p>2. In this PCap, the ad
is fetched by including the customer id 1XXX8 into the HTTP POST
request to jumptap.com, i.e. Millennial Media:</p> <p>
<span>HTTP/1.1 200
OK</span></p> <p>
<span>Cache-Control:
private</span></p> <p>
<span>Content-Type:
text/html</span></p> <p>
<span>Date: Thu, XX
Mar 2014 XX:XX:XX GMT</span></p> <p>
<span>Server:
Microsoft-IIS/7.5</span></p> <p>
<span>ServerName:
P-ADS-OR-WEBC #17</span></p> <p>
<span>X-AspNet-Version:
4.0.30319</span></p> <p>
<span>X-Powered-By:
ASP.NET</span></p> <p>
<span>X-ReqTime:
475</span></p> <p>
<span>X-Stats:
geo-0;rcf88626-255;rcf75152-218</span></p> <p>
<span>Content-Length:
2537</span></p> <p>
<span>Connection:
keep-alive</span></p> <p>
<span>GET
/img/1547/1XXX2.jpg HTTP/1.1</span></p> <p>
<span>Host:
<b>i.jumptap.com</b></span></p> <p>
<span>Connection:
keep-alive</span></p> <p>
<span>Referer:
http://bar/</span></p> <p>
<span>X-Requested-With:
com.rovio.angrybirds</span></p> <p>
<span>User-Agent:
Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300
Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0
Mobile Safari/534.30</span></p> <p>
<span>Accept-Encoding:
gzip,deflate</span></p> <p>
<span>Accept-Language:
en-US</span></p> <p>
<span>Accept-Charset:
utf-8, iso-8859-1, utf-16, *;q=0.7</span></p> <p>
<span>{"type":"ip","Id":"8XXX5","width":320,"height":50,"cookie":[],"data":[{"data":"<!--
AdPlacement :
banner_ingame_burstly","adType":{"width":320,
"height":50, "extendedProperty":2064
},"dataType":1, "textAdType":0,
"destType":10, "destParms":"",
"cookie":[{"name":"...",
"value":"ref=...&cr<b>1XXX8</b>=4,1&cr1XXX8=2,1",
"path":"/",
"domain":"neptune.appads.com",
"expires":"Sat, 0X Apr 2014 0X:XX:XX GMT",
"maxage":2XXX0}, {"name":"vw",...,
"crid":7XXX2, "aoid":3XXX3,
"iTrkData":"...",
"clkData":"...","feedName":"Nexage"}]}</span></p>
<p>In this pcap, the advertisement is retrieved from jumptap.com.
We can use the same customer id 1XXXX8 to easily track the PCap
of different ad libraries.</p> <p>3. For example, in another PCap
from turn.com, customer id remains the same:</p> <p>
<span>HTTP/1.1 200
OK</span></p> <p>
<span>Cache-Control:
private</span></p> <p>
<span>Content-Type:
text/html</span></p> <p>
<span>Date: Thu, 06
Mar 2014 07:30:54 GMT</span></p> <p>
<span>Server:
Microsoft-IIS/7.5</span></p> <p>
<span>ServerName:
P-ADS-OR-WEBB #6</span></p> <p>
<span>X-AspNet-Version:
4.0.30319</span></p> <p>
<span>X-Powered-By:
ASP.NET</span></p> <p>
<span>X-ReqTime:
273</span></p> <p>
<span>X-Stats:
geo-0;rcf88626-272</span></p> <p>
<span>Content-Length:
4714</span></p> <p>
<span>Connection:
keep-alive</span></p> <p>
<span>GET
/server/ads.js?pub=24</span></p> <p>
<span>PvctPFq&acp=0.51
HTTP/1.1</span></p> <p>
<span>Host:
ad.turn.com</span></p> <p>
<span>Connection:
keep-alive</span></p> <p>
<span>Referer:
http://bar/</span></p> <p>
<span>Accept:
*/*</span></p> <p>
<span>X-Requested-With:
com.rovio.angrybirds</span></p> <p>
<span>User-Agent:
Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300
Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0
Mobile Safari/534.30</span></p> <p>
<span>Accept-Encoding:
gzip,deflate</span></p> <p>
<span>Accept-Language:
en-US</span></p> <p>
<span>Accept-Charset:
utf-8, iso-8859-1, utf-16, *;q=0.7</span></p> <p>
<span>{"type":"ip","Id":"0...b","width":320,"height":50,"cookie":[],"data":[{"data":"<!--
AdPlacement : banner_ingame_burstly -->
\"http://burstly.ads.nexage.com:80..."
destParms":"",
"cookie":[{"name":"f...g",
"value":"ref=1...0&cr<b>1XXXX8</b>=k,1&cr...8=i,
1","path":"/",
"domain":"neptune.appads.com",
"expires":"Sat, 0X Apr 2014 0X:XX:XX</span></p> <h3>
<b>How is the personal information shared?</b></h3> <p>We also
researched the source code of the Burstly (ad mediation platform)
to trace the method calls for the information sharing. First in
com/burstly/lib/conveniencelayer/BurstlyAnimated Banner.java, when
Angry Birds tries to initialize the connection with Burstly,
<i>initNewAnimatedBanner()</i> is called as follows:</p> <p>
<span>this.initNewAnimatedBanner
(arg7.getActivity(), arg8, arg9, arg10, arg11);</span></p> <p>
<span>Inside
initNewAnimatedBanner(), it instantiates the BurstlyView object
by calling:</span></p> <p>
<span>BurstlyView v0
= new BurstlyView(((Context)arg3));</span></p> <p>
<span>v0.setZoneId(arg6);</span></p>
<p>Before the ZoneId is set, the <i>initializeView()</i> method is
called in the constructor of BurstlyView. Furthermore, inside the
<i>initializeView()</i> method, we found the following:</p> <p>
<span>new
BurstlyViewConfigurator(this).configure(this.mAttributes);</span></p>
<p>Finally in the <i>BurstlyViewConfigurator.configure()</i>
method, it sets a series of parameters:</p> <p>
<span>this.extractAndApplyBurstlyViewId();</span></p> <p>
<span>this.extractAndApplyCrParams();</span></p> <p>
<span>this.extractAndApplyDefaultSessionLife();</span></p> <p>
<span>this.extractAndApplyPublisherId();</span></p> <p>
<span>this.extractAndApplyPubTargetingParams();</span></p> <p>
<span>this.extractAndApplyUseCachedResponse();</span></p> <p>
<span>this.extractAndApplyZoneId();</span></p>
<p>These method calls are to retrieve information from
burstly.com. For example, in the extractAndApplyCrParams() method,
it retrieves parameters from burstly.com and stores them in the
BurstlyView object:</p> <p>
<span>String v0 =
this.mAttributes.getAttributeValue("http://burstly.com/lib/ui/schema",
"crParams");</span></p> <p>
<span>if(v0 != null)
{</span></p> <p>
<span>BurstlyViewConfigurator.LOG.logDebug("BurstlyViewConfigurator",
"Setting CR params to: {0}", new
Object[]{v0});</span></p> <p>
<span>this.mBurstlyView.setCrParms(v0);</span></p> <p>
<span>}</span></p>
<p>The key <i>crParms</i> is the same one used in the first PCap
to label the values corresponding to personal information such as
age and gender.</p> <h3>
<b>Conclusion</b></h3> <p>In summary, Angry Birds collects users
personal information and associates with customer id before
storing it in the smart phone storage. Then the Burstly ad library
embedded in Angry Birds fetches the customer id, uploads the
corresponding personal information to the Burstly cloud, and
transmits it to other advertising clouds. We have caught such
traffics in the network packet captures and the corresponding code
paths in the reversed engineered source code.</p> <p>For FireEye
ThreatScore information on Angry Birds and more details about the
applications behavior, FireEye Mobile Threat Prevention customers
can access their Mobile Threat Prevention (MTP) portal.</p> </li> </ul>