Developers have been reporting allegedly strange behavior from AppLovin’s MAX Unity SDK.
At least one developer discovered that MAX, AppLovin’s in-app monetization solution, appears to have been capturing iOS 15 postbacks for installs generated by other ad networks automatically and without permission.
The tip was shared anonymously with the mobile ad industry forum Mobile Dev Memo.
Postback data is like a receipt with general information about an install and the campaign that led to it. It’s valuable because it demonstrates which apps are sources of good traffic and which ad networks are most effective at driving certain outcomes.
To the MAX
It’s important to note that there is no PII in a SKAdNetwork postback.
At issue was the fact that AppLovin could see the attribution postbacks for all of an advertiser’s installs, not just its own, even if the developer had explicitly specified a different endpoint for where to send postbacks.
(An endpoint is a web URL where information, like postbacks, can be sent by an ad network to an advertiser.)
AppLovin wasn’t claiming credit for any of these installs. But gaining visibility into all of an advertiser’s postbacks would reveal which networks were winning bids for any impressions served in apps monetizing with MAX.
And if AppLovin could see that a certain app is a good source of installs, for example, it could theoretically use that information to inform its own automated bids on behalf of that advertiser.
But AppLovin claims it did not actually collect any of the data, although only AppLovin knows if that’s truly the case.
According to AppLovin, the Unity plugin in question was benign rather than a data grab. (A Unity plugin is a software add-on used by SDKs that gives access to features such as third-party libraries or OS calls.)
In a statement shared with AdExchanger, an AppLovin spokesperson said the plugin was “designed to create an app that is ready to test/submit to the app store” and that “this feature request was documented for all developers using native integration and our Unity plugin.”
AppLovin has since stopped this practice and instituted a code update that gives developers the option to manually set their NSAdvertisingAttributionReportEndpoint. AppLovin’s endpoint is no longer the default.
But here’s a little wrinkle: AppLovin’s Unity plugin doesn’t actually have Unity’s blessing.
“We think it’s important to note that the AppLovin plugin is not verified by Unity,” a Unity spokesperson told AdExchanger. “We maintain a level of openness for developers and balance that with trust and security by offering verification programs, which the referenced feature has not been a part of.”
What exactly happened on the backend
When an install occurs on iOS 14+, Apple’s new SKAdNetwork framework sends a postback from the user’s device directly to the ad network that deserves credit.
Some advertisers were worried that ad networks, including Facebook’s, wouldn’t always share these postbacks with them. And so, starting with iOS 15, Apple began allowing advertisers to receive a copy of these postbacks on their own – a sort of “god mode” view of installs attributed for their app across all ad networks. Developers do this by specifying their own URL (known as the NSAdvertisingAttributionReportEndpoint).
The MAX SDK was accessing iOS 15 postback data automatically by overriding the NSAdvertisingAttributionReportEndpoint a developer had set as the destination for where SKAdNetwork was supposed to send postback info and replacing it with an AppLovin endpoint.
With this setup, AppLovin was in a position to piggyback off its monetization offering and glean information it could use to benefit its ad network – but without the knowledge of its developer partners.
AppLovin said that it enabled this configuration to make life easier for its customers. “While many of our developers manually enable NSAdvertisingAttributionReportEndpoint using the instructions in our documentation, our Unity plugin allows developers a way to automate many steps of an integration process, including the feature in question,” the spokesperson said.
In other AppLovin news, the company just dropped a cool $1.05 billion in cash to acquire MoPub from Twitter last week – resulting in one less independent mediation option available to app developers.
Story updated on 10/15/21 to reflect comments from Unity.
