KAYAK Flights, Hotels & Cars
We retested this app on 17.02.2019. The app doesn’t contact Facebook as soon as the app is opened.
Disclaimer: the tested app may still share data with other third parties. This is outside the scope of this work.
KAYAK is an app for finding cheap hotels and flights
From the Google Play Store page:
"KAYAK searches hundreds of other travel sites so you don’t have to. Book the perfect flight, hotel or rental car and save money with mobile-only rates and Private Deals. KAYAK Trips lets you organize all of your travel plans in one place including free flight status updates, airport terminal maps and security wait times. KAYAK is the only app you need for planning, booking and traveling."
This documentation demonstrates actions taken by the test user and the apps subsequent responses.
Test user action 1: The user taps on the application icon, which opens the application
Response from app: The application is initialised and the following data is sent and received by the app:
Immediately after the app is opened, the following data is sent to graph.facebook.com (Graph)
format: json
sdk: android
event: MOBILE_APP_INSTALL
advertiser_id: 474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled: true
installer_package: com.android.vending
anon_id: XZdfd5f00f-9271-4e82-a8ce-6cea1d38b6d3
application_tracking_enabled: true
extinfo: ["a2","com.kayak.android",1257,"69.1","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,8,"Europe\/London"]
application_package_name: com.kayak.androidWith the response:
{
"success":true
}The app sends the following HTTP GET request to graph.facebook.com
GET https://graph.facebook.com/v3.2/163003079204/button_auto_detection_device_selection?fields=is_selected&format=json&sdk=android&device_id=474364c6-e9cf-4971-8dd2-b1dc3c605450 HTTP/1.1The app receives the following response from graph.facebook.com:
{
"data":[ {
"is_selected":false
}
]
}Without any further user action, the app sends the following request to graph.facebook.com
format: json
sdk: android
custom_events: [{"_eventName":"fb_sdk_initialize","_eventName_md5":"d470d22f237aee69843355edba5a8178","_logTime":1543687678,"_ui":"unknown","_implicitlyLogged":"1","core_lib_included":"1","marketing_lib_included":"1","login_lib_included":"1","places_lib_included":"1","all_lib_included":"1","share_lib_included":"1","messenger_lib_included":"1","applinks_lib_included":"1"},{"_eventName":"fb_mobile_activate_app","_eventName_md5":"cb7f3b6cd294afce05ece615d43ea7b9","_logTime":1543687679,"_ui":"Splash","_session_id":"96ac6dc9-d0d4-496f-85b6-0c75b86b2d23","fb_mobile_launch_source":"Unclassified"}]
event: CUSTOM_APP_EVENTS
advertiser_id: 474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled: true
installer_package: com.android.vending
anon_id: XZdfd5f00f-9271-4e82-a8ce-6cea1d38b6d3
application_tracking_enabled: true
extinfo: ["a2","com.kayak.android",1257,"69.1","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,8,"Europe\/London"]
application_package_name: com.kayak.androidThe app receives the following response from graph.facebook.com:
{
"success":true
}The app sends the following HTTP GET request to graph.facebook.com
GET https://graph.facebook.com/v3.2/163003079204/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=4.38.1&sdk=android&device_id=474364c6-e9cf-4971-8dd2-b1dc3c605450&platform=android HTTP/1.1The app receives the following response to the GET request from graph.facebook.com:
{
"data":[ {
"gatekeepers":[ {
"key":"app_events_auto_logging","value":false
}
, {
"key":"app_events_if_auto_log_subs","value":false
}
]
}
]
}Action from app: The user is asked to sign in.
Test user action 2: The user chooses skip
Screenshot of Dialog shown to user:
Test user action 3: The user inputs a search for a flight with 1 economy passenger from London (Gatwick) to Tokyo on the 2nd December, returning on the 5th
Action from app: The search is initialised.
The app sends the following to graph.facebook.com
format: json
sdk: android
custom_events: [{"_eventName":"fb_mobile_search","_eventName_md5":"21ecb6e2391dc121cc5702bb4d0c6aee","_logTime":1543687871,"_ui":"unknown","_session_id":"96ac6dc9-d0d4-496f-85b6-0c75b86b2d23","obfuscated_session_id":"H-5bA4a5Ta3jpwN4vbUHDHO-TFSxSSjPo11RAKo9WV0cKnDDBSknGfD4yjSAw6uik","bookingWindow":"1","obfuscated_tracking_cookie":"JHRqu46001JsujWaiTV7hIdBHwc","travel_start":"12\/02\/2018","brand":"kayak","destination_airport":"TYO","travel_end":"12\/05\/2018","content_type":"Flight","num_adults":"1","is_logged_in":"false","origin_airport":"LGW","user_score":"0"}]
event: CUSTOM_APP_EVENTS
advertiser_id: 474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled: true
installer_package: com.android.vending
anon_id: XZdfd5f00f-9271-4e82-a8ce-6cea1d38b6d3
application_tracking_enabled: true
extinfo: ["a2","com.kayak.android",1257,"69.1","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,8,"Europe\/London"]
application_package_name: com.kayak.androidThe app receives the following response from graph.facebook.com:
{
"success":true
}Test user action 4: The user selects a flight routed to Narita International
Response from app: The flight details are listed
The app sends the following to graph.facebook.com
format: json
sdk: android
custom_events: [{"_eventName":"fb_mobile_content_view","_eventName_md5":"533c6dea25f750ee1fefcd943f21df1f","_logTime":1543687983,"_ui":"unknown","_session_id":"96ac6dc9-d0d4-496f-85b6-0c75b86b2d23","_valueToSum":663,"obfuscated_session_id":"H-5bA4a5Ta3jpwN4vbUHDHO-TFSxSSjPo11RAKo9WV0cKnDDBSknGfD4yjSAw6uik","bookingWindow":"1","obfuscated_tracking_cookie":"JHRqu46001JsujWaiTV7hIdBHwc","travel_start":"12\/02\/2018","fb_currency":"GBP","brand":"kayak","destination_airport":"NRT","travel_end":"12\/05\/2018","content_type":"Flight","num_adults":"1","is_logged_in":"false","order_id":"DaGCAYiLPF","fb_content_id":"mult","origin_airport":"LGW","fb_search_string":"\/flights\/LGW-TYO\/2018-12-02\/2018-12-05\/f6f7f4e595ba8b61f070f6b81e7f69198","user_score":"0"}]
event: CUSTOM_APP_EVENTS
advertiser_id: 474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled: true
installer_package: com.android.vending
anon_id: XZdfd5f00f-9271-4e82-a8ce-6cea1d38b6d3
application_tracking_enabled: true
extinfo: ["a2","com.kayak.android",1257,"69.1","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,8,"Europe\/London"]
application_package_name: com.kayak.androidThe app receives the following response from graph.facebook.com:
{
"success":true
}Test user action 5: The user chooses to do a search for Hotels in Tokyo for the same dates, but with 2 adults
Response from app: The app returns the search results
The app sends the following to graph.facebook.com
format: json
sdk: android
custom_events: [{"_eventName":"fb_mobile_search","_eventName_md5":"21ecb6e2391dc121cc5702bb4d0c6aee","_logTime":1543688012,"_ui":"unknown","_session_id":"96ac6dc9-d0d4-496f-85b6-0c75b86b2d23","obfuscated_session_id":"H-5bA4a5Ta3jpwN4vbUHDHO-TFSxSSjPo11RAKo9WV0cKnDDBSknGfD4yjSAw6uik","destination_city_id":"21033","bookingWindow":"1","obfuscated_tracking_cookie":"JHRqu46001JsujWaiTV7hIdBHwc","travel_start":"12\/02\/2018","brand":"kayak","travel_end":"12\/05\/2018","content_type":"Hotel","num_adults":"2","is_logged_in":"false","user_score":"0"}]
event: CUSTOM_APP_EVENTS
advertiser_id: 474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled: true
installer_package: com.android.vending
anon_id: XZdfd5f00f-9271-4e82-a8ce-6cea1d38b6d3
application_tracking_enabled: true
extinfo: ["a2","com.kayak.android",1257,"69.1","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,8,"Europe\/London"]
application_package_name: com.kayak.androidThe app receives the following response from graph.facebook.com:
{
"success":true
}Test user action 6: The user closes the application
Response from app: No futher data is sent or received by the app from graph.facebook.com
Note 1: In the videos below, the clocks between the VirtualBox Virtual Machine and the Phone handset are not synchronised.
Note 2: The phone videos are split into multiple parts due to a 180 second limitation in Android Developer Bridge screenrecord command