







Most users create Rovio accounts to save game progress and scores for getting into the global leaderboard. But in the same registration process, the FireEye says that the App also captures users birthdays, email address and gender. And if you think your are protected against such kind of information theft, the Rovio's end-use license agreement (EULA) and privacy policy grant the publisher, the rights to upload the collected information to third-party entities for marketing.









The Traffic flow of information from Rovio is given below

Angry Birds uses native code called libAngryBird.so to access storage and help the ad libraries store logs, caches, database, configuration files, and AES-encrypted game data. For users with a Rovio account, this data includes the user’s personal information in clear text or easily decrypted formats. For example, some information is stored in clear text in the web view cache called webviewCacheChromium:



{“accountId”:”AC3XXX…XXXA62B”,”accountExtRef”:”hE…fDc”,”personal”:{“firstName”:null,”lastName”:null,“birthday”:”19XXXXX-01″, “age”:”30″, “gender”:”FEMALE”, “country”:”United States” , “countryCode”:”US”, “marketingConsent”:false, “avatarId”:”AVXXX…XXX2c”,”imageAssets”:[...], “nickName”:null}, “abid”:{“email”:”eXXX…



The device is given a universal id 1XXXX8, which is stored in the webviewCookiesChromium database in clear text:



cu1XXXX8|{“name”:”cu1XXXX8“,”value”:”3%2XXX…XXX6+PM”}|13XXX…XXX1



The id “1XXXX8″ labels the personal information when uploaded by the ad mediation platform. Then the information is passed to ad clouds.



1. The initial traffic captures in the PCap shows what kind of information Angry Birdsuploads to Burstly:



HTTP/1.1 200 OK

Cache-Control: private

Date: Thu, 06 Mar 2014 XX:XX:XX GMT

Server: Microsoft-IIS/7.5

ServerName: P-ADS-OR-WEBC #22

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

X-ReqTime: 0

Content-Length: 0

Connection: keep-alive

POST /Services/PubAd.svc/GetSingleAdPlacement HTTP/1.1

Content-type: text/json; charset=utf-8



User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30



Content-Length: 1690

Host: neptune.appads.com

Connection: Keep-Alive



{“data”:{“Id”:”8XXX5″,”acceptLanguage”:”en”,”adPool”:0,”androidId”:”u1XXX…XXXug”,”bundleId”: “com.rovio.angrybirds”,…,”cookie”:[{"name":"cu1XXX8","value":"3XXX6+PM"},{"name":"vw","value":"ref=1XXX2&dgi=,eL,default,GFW"},{"name":"lc","value":"1XXX8"},{"name":"iuXXXg","value":"x"},{"name":"cuXXX8","value":"3%2XXXPM"},{"name":"fXXXg","value":"ref=1XXX712&crXXX8=2,1&crXXX8=,1"}], “crParms”:”age=30,androidstore=’com.android.vending’, customer=’googleplay’, gender=’FEMALE’, version=’4.1.0′”, “debugFlags”:0, “deviceId”:”aXXX…XXXd”, “encDevId”:”xXXX….XXXs=”, “encMAC”:”iXXX…XXXg=”, “ipAddress”:”",“mac”:”1XXX…XXX9″, “noTrack”:0,”placement”:”", “pubTargeting”:”age=30, androidstore=’com.android.vending’, customer=’googleplay’, gender=’FEMALE’, version=’4.1.0′”,”rvCR”:”", “type”:”iq”,”userAgentInfo”:{“Build”:”1.35.0.50370″, “BuildID”:”323″, “Carrier”:”",”Density”:”High”, “Device”:“AscendY300″, “DeviceFamily”:“Huawei”, “MCC”:”0″,”MNC”:”0″,…



We can see the information transmitted to neptune.appads.com includes gender, age, android id, device id, mac address, device type, etc. In another PCap in which Angry Birdssends POST to the same host name, the IP address is transmitted too:



HTTP/1.1 200 OK

POST /Services/v1/SdkConfiguration/Get HTTP/1.1

Host: neptune.appads.com

IpAddress”:”fXXX…XXX9%eth0″,…



According to whois records, the registrant organization of neptune.appads.com is Burstly, Inc. Therefore, the aforementioned information is actually transmitted to Burstly. It Both PCaps contain the keyword “crParms.” This keyword is also used in the source code to putpersonal information into a map sent as a payload.



Skyrocket.com is an app monetization service provided by Burstly. The following PCap shows that Angry Birds retrieves the customer ID from Skyrocket.com through an HTTP GET request:



HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Date: Thu, 06 Mar 2014 07:12:25 GMT

Server: Microsoft-IIS/7.5

ServerName: P-ADS-OR-WEBA #5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

X-ReqTime: 2

X-Stats: geo-0

Content-Length: 9606

Connection: keep-alive

GET /7….4/ad/image/1…c.jpg HTTP/1.1



User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30



Host: cdn.skyrocketapp.com



Connection: Keep-Alive



{“type”:”ip”,”Id”:”9XXX8″,…”data”:[{"imageUrl":"http://cdn.skyrocketapp.com/79...2c.jpg","adType":{"width":300, "height":250, "extendedProperty":80}, "dataType": 64, "textAdType":0,"destType":1,"destParms":"","cookie":[{"name":"fXXXg", "value": "ref=1XXX2&cr1XXX8=2,1&cr1XXX8=1&aoXXX8=", "path":"/", "domain": "neptune.appads.com", "expires":"Sat, 05 Apr 2014 XXX GMT", "maxage": 2…0}, {"name":"vw","value":"ref=1XXX2&...},...,"cbi":"http://bs.serving-sys.com/Burstin...25&rtu=-1","cbia":["http://bs….":1,"expires":60},..."color":{"bg":"0…0"}, "isInterstitial":1}



2. In this PCap, the ad is fetched by including the customer id 1XXX8 into the HTTP POST request to jumptap.com, i.e. Millennial Media:



HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Date: Thu, XX Mar 2014 XX:XX:XX GMT

Server: Microsoft-IIS/7.5

ServerName: P-ADS-OR-WEBC #17

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

X-ReqTime: 475

X-Stats: geo-0;rcf88626-255;rcf75152-218

Content-Length: 2537

Connection: keep-alive

GET /img/1547/1XXX2.jpg HTTP/1.1



Host: i.jumptap.com



Connection: keep-alive



Referer: http://bar/

X-Requested-With: com.rovio.angrybirds

User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30



Accept-Encoding: gzip,deflate

Accept-Language: en-US

Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7



{"type":"ip","Id":"8XXX5","width":320,"height":50,"cookie":[],”data”:[{"data":"<!-- AdPlacement : banner_ingame_burstly…","adType":{"width":320, "height":50, "extendedProperty":2064 },"dataType":1, "textAdType":0, "destType":10, "destParms":"", "cookie":[{"name":"...", "value":"ref=...&cr1XXX8=4,1&cr1XXX8=2,1", "path":"/", "domain":"neptune.appads.com", "expires":"Sat, 0X Apr 2014 0X:XX:XX GMT", "maxage":2XXX0}, {"name":"vw",..., "crid":7XXX2, "aoid":3XXX3, "iTrkData":"...", "clkData":"...","feedName":"Nexage"}]}



In this pcap, the advertisement is retrieved from jumptap.com. We can use the same customer id “1XXXX8” to easily track the PCap of different ad libraries.



3. For example, in another PCap from turn.com, customer id remains the same:



HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Date: Thu, 06 Mar 2014 07:30:54 GMT

Server: Microsoft-IIS/7.5

ServerName: P-ADS-OR-WEBB #6

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

X-ReqTime: 273

X-Stats: geo-0;rcf88626-272

Content-Length: 4714

Connection: keep-alive

GET /server/ads.js?pub=24…

PvctPFq&acp=0.51 HTTP/1.1







Connection: keep-alive



Referer: http://bar/

Accept: */*

X-Requested-With: com.rovio.angrybirds



User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30



Accept-Encoding: gzip,deflate

Accept-Language: en-US

Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7



{“type”:”ip”,”Id”:”0…b”,”width”:320,”height”:50,”cookie”:[],”data”:[{"data":"<!-- AdPlacement : banner_ingame_burstly --> \"http://burstly.ads.nexage.com:80..." destParms":"", "cookie":[{"name":"f...g", "value":"ref=1...0&cr1XXXX8=k,1&cr...8=i, 1","path":"/", "domain":"neptune.appads.com", "expires":"Sat, 0X Apr 2014 0X:XX:XX



Earlier this year, US Government Contractor "Edward Snowden" stats that



We have tried to make contact with Rovio (Angry Bird Team) on this, hope we get some information from there side too.



Source:- Host: ad.turn.comConnection: keep-aliveReferer: http://bar/Accept: */*X-Requested-With: com.rovio.angrybirdsUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Accept-Encoding: gzip,deflateAccept-Language: en-USAccept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7{“type”:”ip”,”Id”:”0…b”,”width”:320,”height”:50,”cookie”:[],”data”:[{"data":" \"http://burstly.ads.nexage.com:80..." destParms":"", "cookie":[{"name":"f...g", "value":"ref=1...0&cr1XXXX8=k,1&cr...8=i, 1","path":"/", "domain":"neptune.appads.com", "expires":"Sat, 0X Apr 2014 0X:XX:XXEarlier this year, US Government Contractor "" stats that Angry Birda shared private user information with NSA and GCHQ . But after the noted of media publication they directly denies the statement and stated they didn't have any collaborate or collude with any government spy agencies such as NSA or GCHQ anywhere in the world. Now one again FireEye shows that they are sharing the users data for profit, What this means?We have tried to make contact with Rovio (Angry Bird Team) on this, hope we get some information from there side too.Source:- FireEye The Traffic flow of information from Rovio is given belowAngry Birds uses native code called libAngryBird.so to access storage and help the ad libraries store logs, caches, database, configuration files, and AES-encrypted game data. For users with a Rovio account, this data includes the user’s personal information in clear text or easily decrypted formats. For example, some information is stored in clear text in the web view cache called webviewCacheChromium:{“accountId”:”AC3XXX…XXXA62B”,”accountExtRef”:”hE…fDc”,”personal”:{“firstName”:null,”lastName”:null,“birthday”:”19XXXXX-01″, “age”:”30″, “gender”:”FEMALE”, “country”:”United States” , “countryCode”:”US”, “marketingConsent”:false, “avatarId”:”AVXXX…XXX2c”,”imageAssets”:[...], “nickName”:null}, “abid”:{“email”:”eXXX… [email protected] ”, “isConfirmed”:false}, “phoneNumber”:null, “facebook”:{“facebookId”:”",”email”:”"},”socialNetworks”:[]}The device is given a, which is stored in thedatabase in clear text:cu1XXXX8|{“name”:”cu1XXXX8“,”value”:”3%2XXX…XXX6+PM”}|13XXX…XXX1The id “1XXXX8″ labels the personal information when uploaded by the ad mediation platform. Then the information is passed to ad clouds.1. The initial traffic captures in the PCap shows what kind of information Angry Birdsuploads to Burstly:HTTP/1.1 200 OKCache-Control: privateDate: Thu, 06 Mar 2014 XX:XX:XX GMTServer: Microsoft-IIS/7.5ServerName: P-ADS-OR-WEBC #22X-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETX-ReqTime: 0Content-Length: 0Connection: keep-alivePOST /Services/PubAd.svc/GetSingleAdPlacement HTTP/1.1Content-type: text/json; charset=utf-8User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Content-Length: 1690Host: neptune.appads.comConnection: Keep-Alive{“data”:{“Id”:”8XXX5″,”acceptLanguage”:”en”,”adPool”:0,”androidId”:”u1XXX…XXXug”,”bundleId”: “com.rovio.angrybirds”,…,”cookie”:[{"name":"cu1XXX8","value":"3XXX6+PM"},{"name":"vw","value":"ref=1XXX2&dgi=,eL,default,GFW"},{"name":"lc","value":"1XXX8"},{"name":"iuXXXg","value":"x"},{"name":"cuXXX8","value":"3%2XXXPM"},{"name":"fXXXg","value":"ref=1XXX712&crXXX8=2,1&crXXX8=,1"}], “crParms”:”age=30,androidstore=’com.android.vending’, customer=’googleplay’, gender=’FEMALE’, version=’4.1.0′”, “debugFlags”:0, “deviceId”:”aXXX…XXXd”, “encDevId”:”xXXX….XXXs=”, “encMAC”:”iXXX…XXXg=”, “ipAddress”:”",“mac”:”1XXX…XXX9″, “noTrack”:0,”placement”:”", “pubTargeting”:”age=30, androidstore=’com.android.vending’, customer=’googleplay’, gender=’FEMALE’, version=’4.1.0′”,”rvCR”:”", “type”:”iq”,”userAgentInfo”:{“Build”:”1.35.0.50370″, “BuildID”:”323″, “Carrier”:”",”Density”:”High”, “Device”:“AscendY300″, “DeviceFamily”:“Huawei”, “MCC”:”0″,”MNC”:”0″,…We can see the information transmitted toincludes gender, age, android id, device id, mac address, device type, etc. In another PCap in which Angry Birdssends POST to the same host name, the IP address is transmitted too:HTTP/1.1 200 OKPOST /Services/v1/SdkConfiguration/Get HTTP/1.1Host: neptune.appads.comIpAddress”:”fXXX…XXX9%eth0″,…According to whois records, the registrant organization ofis, Inc. Therefore, the aforementioned information is actually transmitted to Burstly. It Both PCaps contain the keyword “crParms.” This keyword is also used in the source code to putpersonal information into a map sent as a payload.Skyrocket.com is an app monetization service provided by Burstly. The following PCap shows that Angry Birds retrieves the customer ID from Skyrocket.com through an HTTP GET request:HTTP/1.1 200 OKCache-Control: privateContent-Type: text/htmlDate: Thu, 06 Mar 2014 07:12:25 GMTServer: Microsoft-IIS/7.5ServerName: P-ADS-OR-WEBA #5X-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETX-ReqTime: 2X-Stats: geo-0Content-Length: 9606Connection: keep-aliveGET /7….4/ad/image/1…c.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Host: cdn.skyrocketapp.comConnection: Keep-Alive{“type”:”ip”,”Id”:”9XXX8″,…”data”:[{"imageUrl":"http://cdn.skyrocketapp.com/79...2c.jpg","adType":{"width":300, "height":250, "extendedProperty":80}, "dataType": 64, "textAdType":0,"destType":1,"destParms":"","cookie":[{"name":"fXXXg", "value": "ref=1XXX2&cr1XXX8=2,1&cr1XXX8=1&aoXXX8=", "path":"/", "domain": "neptune.appads.com", "expires":"Sat, 05 Apr 2014 XXX GMT", "maxage": 2…0}, {"name":"vw","value":"ref=1XXX2&...},...,"cbi":"http://bs.serving-sys.com/Burstin...25&rtu=-1","cbia":["http://bs….":1,"expires":60},..."color":{"bg":"0…0"}, "isInterstitial":1}2. In this PCap, the ad is fetched by including the customer id 1XXX8 into the HTTP POST request to jumptap.com, i.e. Millennial Media:HTTP/1.1 200 OKCache-Control: privateContent-Type: text/htmlDate: Thu, XX Mar 2014 XX:XX:XX GMTServer: Microsoft-IIS/7.5ServerName: P-ADS-OR-WEBC #17X-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETX-ReqTime: 475X-Stats: geo-0;rcf88626-255;rcf75152-218Content-Length: 2537Connection: keep-aliveGET /img/1547/1XXX2.jpg HTTP/1.1Host: i.jumptap.comConnection: keep-aliveReferer: http://bar/X-Requested-With: com.rovio.angrybirdsUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Accept-Encoding: gzip,deflateAccept-Language: en-USAccept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7{"type":"ip","Id":"8XXX5","width":320,"height":50,"cookie":[],”data”:[{"data":"

How many of You like to play mobile games ? I think everyone here. Yup.! its me too. Most when it is Android games which are popular like, Angry Birds, Subway Suffer or something else... But do you know a game that looks like a simple game, can how much dangerous for us. Yeah its right, a security provider firm "" have brought some thing for us that we didn't know.have noted thatmaker of "" is sharing users personal information and that also without the prior notice of the users. They seem to operating well within the law and the EULA which allows them to. This done unscrupulously by Rovio using the information of over half a billion users who have created online Rovio accounts to save their game progress.On the blog post FireEye mention thateven after a slew of reports and complaints against Rovio for this kind of information sharing, Rovio continues to share personal information. FireEye quoted that more than a quarter billion users who create Rovio accounts to save their game progress across multiple devices might be unwittingly sharing all kinds ofinformation like age, gender etc., with multiple parties for profit.FireEye discussing the scenario says that,Once a Rovio account is created and personal information uploaded their data might be shared in multiple locations like: Angry Birds Cloud, Burstly (ad mediation platform), and third-party ad networks such as Jumptap and Millennial Media. The FireEye researchers analysed the different versions of Angry Birds and found that multiple versions of the game can share personal information in clear text, including email, address, age and gender. They mentioned that "In summary, Angry Birds collects user’s personal information and associates with customer id before storing it in the smart phone storage. Then the Burstly ad library embedded in Angry Birds fetches the customer id, uploads the corresponding personal information to the Burstly cloud, and transmits it to other advertising clouds. We have caught such traffics in the network packet captures and the corresponding code paths in the reversed engineered source code.