Investigating Apps interactions with Facebook on Android

Privacy International(PI) has been investigating the proliferation of data tracking, brokerage and exchange between many tech companies, both as their primary business as well as value added services. 

PI's analysis consisted of capturing and decrypting data in transit between our own device and Facebooks servers (so called "man-in-the-middle"), we did this using the free and open source 'mitmproxy', an interactive HTTPS proxy. Having captured communications we then analysed the contents of these messages to determine the composition of the data being exchanged. Fortunately the data parsed by the Facebook SDK adheres to JSON formatting conventions and therefore aspects of the data exchange are human readable.

From this data PI was able to ascertain three broad categories of information being transmitted through graph:

  1. Facebook SDK events data, such as application launch, application closure, SDK versioning information, this information is set by Facebook and appears to be the default configuration of the SDK, as almost all application using it appear to send it
  2. Facebook Advertising events data, such as phone information, advertising information, placement and capability information, it is assumed only applications using Facebook monetisation options will send this data.
  3. Arbitrary "CUSTOM_DATA_APP_EVENT" that is set by the application developer, this can include menu selections, user inputs, data retrievals such as previous input data. The data sent varies greatly by application.

The individual data emitted by apps can be seen in the analysis below

The name can either be partial or full
Ad Personalisation relates whether Googles Ad Personalisation setting was on or off during testing