Skyscanner - Cheap Flights, Hotels and Car Rental (Ad Personalisation = On)
We retested this app on 17/02/2019. The app still contacts Facebook as soon as the app is opened, but no longer shares your Google advertising ID.
Disclaimer: the tested app may still share data with other third parties. This is outside the scope of this work.
From the Google Play Store page:
"Skyscanner is an all-in-one travel app with flights, hotels and car rentals, all in one place. Instantly search, compare and book cheap flights, hotels and car rentals anytime, anywhere."
This documentation demonstrates actions taken by the test user and the apps subsequent responses.
Test user action 1: The user taps on the application icon, which opens the application
Response from app: The application is initialised and the following data is sent and received by the app:
Immediately after the app is opened, the following data is sent to graph.facebook.com (Graph)
The following HTTP GET request is made to graph.facebook.com
GET https://graph.facebook.com/v3.0/1563144747281352?fields=supports_implicit_sdk_logging%2Cgdpv4_nux_content%2Cgdpv4_nux_enabled%2Cgdpv4_chrome_custom_tabs_enabled%2Candroid_dialog_configs%2Candroid_sdk_error_categories%2Capp_events_session_timeout%2Capp_events_feature_bitmask%2Cseamless_login%2Csmart_login_bookmark_icon_url%2Csmart_login_menu_icon_url&format=json&sdk=android HTTP/1.1
With the response
{
"supports_implicit_sdk_logging":true,"gdpv4_nux_enabled":false,"gdpv4_chrome_custom_tabs_enabled":true,"android_sdk_error_categories":[ {
"name":"login_recoverable","items":[ {
"code":102
}
, {
"code":190
}
],"recovery_message":"Please log in to this app again to reconnect your Facebook account."
}
],"app_events_session_timeout":60,"app_events_feature_bitmask":5,"seamless_login":1,"smart_login_bookmark_icon_url":"https:\/\/static.xx.fbcdn.net\/rsrc.php\/v3\/yh\/r\/HyQ4Fq_iGUX.png","smart_login_menu_icon_url":"https:\/\/static.xx.fbcdn.net\/rsrc.php\/v3\/yR\/r\/xi3BPJ134MF.png","id":"1563144747281352"
}
Without any further user action, the app sends the following request to graph.facebook.com
format: json
sdk: android
event: MOBILE_APP_INSTALL
advertiser_id: 474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled: true
installer_package: com.android.vending
anon_id: XZ91d69838-8980-4d1a-8e41-d6c21362b0b5
application_tracking_enabled: true
extinfo: ["a2","net.skyscanner.android.main",1811261925,"5.57","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,6,"Europe\/London"]
application_package_name: net.skyscanner.android.main
The app receives the following response from graph.facebook.com:
{
"success":true
}
Without any further user action, the app sends the following request to graph.facebook.com
Form data:
format: json
sdk: android
custom_events_file: [{"_eventName":"fb_sdk_initialize","_eventName_md5":"d470d22f237aee69843355edba5a8178","_logTime":1543789926,"_ui":"unknown","_implicitlyLogged":"1","core_lib_included":"1","login_lib_included":"1","places_lib_included":"1","all_lib_included":"1","share_lib_included":"1","messenger_lib_included":"1","applinks_lib_included":"1"},{"_eventName":"fb_mobile_activate_app","_eventName_md5":"cb7f3b6cd294afce05ece615d43ea7b9","_logTime":1543789926,"_ui":"SplashActivity","_session_id":"9582dd9a-7d17-4b1e-8f2e-3eb88369c542","fb_mobile_launch_source":"Unclassified()"}]
event: CUSTOM_APP_EVENTS
advertiser_id: 474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled: true
installer_package: com.android.vending
anon_id: XZ91d69838-8980-4d1a-8e41-d6c21362b0b5
application_tracking_enabled: true
extinfo: ["a2","net.skyscanner.android.main",1811261925,"5.57","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,6,"Europe\/London"]
application_package_name: net.skyscanner.android.main
The app receives the following response from graph.facebook.com:
{
"success":true
}
Without any further user action, the app sends the following request to graph.facebook.com
format: json
sdk: android
event: DEFERRED_APP_LINK
advertiser_id: 474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled: true
installer_package: com.android.vending
anon_id: XZ91d69838-8980-4d1a-8e41-d6c21362b0b5
application_tracking_enabled: true
extinfo: ["a2","net.skyscanner.android.main",1811261925,"5.57","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,6,"Europe\/London"]
application_package_name: net.skyscanner.android.main
The app receives the following response from graph.facebook.com:
{
"success":true
}
Response from app: Only now does the application prompt with a notice "Your data. Your choice."
Test user action 2: The user selects “CONTINUE"
Screenshot of Dialog shown to user:
The following data is sent to graph.facebook.com
Form data:
format: json
sdk: android
custom_events_file: [{"_eventName":"fb_mobile_content_view","_eventName_md5":"533c6dea25f750ee1fefcd943f21df1f","_logTime":1543789931,"_ui":"unknown","_session_id":"9582dd9a-7d17-4b1e-8f2e-3eb88369c542"}]
event: CUSTOM_APP_EVENTS
advertiser_id: 474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled: true
installer_package: com.android.vending
anon_id: XZ91d69838-8980-4d1a-8e41-d6c21362b0b5
application_tracking_enabled: true
extinfo: ["a2","net.skyscanner.android.main",1811261925,"5.57","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,6,"Europe\/London"]
application_package_name: net.skyscanner.android.main
With the response:
{
"success":true
}
Test user action 3/4: The user select next twice
Response from app: The application asked for the user to sign in
Screenshot of Dialog shown to user:
Test user action 5: The user rejects the sign in screen (by clicking the X icon)
Response from app: The home screen is shown
Test user action 6: The user selects Flights
Response from app: The Search Flights screen is shown
Test user action 7: The user inputs London as the departure destination
Response from app: The following data is sent to graph.facebook.com
Form data:
format: json
sdk: android
custom_events_file: [{"_eventName":"origin_selected","_eventName_md5":"b883a259b3e22dcafeb6cd97872e5692","_logTime":1543790183,"_ui":"unknown","_session_id":"9582dd9a-7d17-4b1e-8f2e-3eb88369c542","origin_city_name":"London","origin_iata":"LOND","origin_name":"London"}]
event: CUSTOM_APP_EVENTS
advertiser_id: 474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled: true
installer_package: com.android.vending
anon_id: XZ91d69838-8980-4d1a-8e41-d6c21362b0b5
application_tracking_enabled: true
extinfo: ["a2","net.skyscanner.android.main",1811261925,"5.57","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,6,"Europe\/London"]
application_package_name: net.skyscanner.android.main
With the response:
{
"success":true
}
Test user action 8: The user inputs Tokyo as the arrival destination
Response from app: The following data is sent to graph.facebook.com
Form data:
format: json
sdk: android
custom_events_file: [{"_eventName":"destination_selected","_eventName_md5":"cd48f17164b8286eeb6fddd86eccc8ca","_logTime":1543790201,"_ui":"unknown","_session_id":"9582dd9a-7d17-4b1e-8f2e-3eb88369c542","destination_city_name":"Tokyo","destination_iata":"TYOA","destination_name":"Tokyo"}]
event: CUSTOM_APP_EVENTS
advertiser_id: 474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled: true
installer_package: com.android.vending
anon_id: XZ91d69838-8980-4d1a-8e41-d6c21362b0b5
application_tracking_enabled: true
extinfo: ["a2","net.skyscanner.android.main",1811261925,"5.57","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,6,"Europe\/London"]
application_package_name: net.skyscanner.android.main
With the response:
{
"success":true
}
Test user action 9: The user selects the search button
Response from app: The following data is sent to graph.facebook.com, along with search results being shown
Form data:
format: json
sdk: android
custom_events_file: [{"_eventName":"flight_search","_eventName_md5":"d5521a518f2b76694cc27dd453c90120","_logTime":1543790283,"_ui":"unknown","_session_id":"9582dd9a-7d17-4b1e-8f2e-3eb88369c542","airport_from_iata_flight_search":"","airport_from_name_flight_search":"","airport_from_city_name_flight_search":"London","date_to_flight_search":"2018-12-04","origin_iata_flight_search":"LOND","date_from_flight_search":"2018-12-03","airport_to_iata_flight_search":"","airport_to_name_flight_search":"","airport_to_city_name_flight_search":"Tokyo","destination_iata_flight_search":"TYOA"},{"_eventName":"Search","_eventName_md5":"13348442cc6a27032d2b4aa28b75a5d3","_logTime":1543790283,"_ui":"unknown","_session_id":"9582dd9a-7d17-4b1e-8f2e-3eb88369c542","fb_destination_airport":"TYOA","fb_returning_departure_date":"2018-12-04","fb_description":"Flight","fb_content_type":"flight","fb_origin_airport":"LOND","fb_travel_class":"economy","fb_departing_departure_date":"2018-12-03","fb_num_adults":"1"}]
event: CUSTOM_APP_EVENTS
advertiser_id: 474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled: true
installer_package: com.android.vending
anon_id: XZ91d69838-8980-4d1a-8e41-d6c21362b0b5
application_tracking_enabled: true
extinfo: ["a2","net.skyscanner.android.main",1811261925,"5.57","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,6,"Europe\/London"]
application_package_name: net.skyscanner.android.main
With the response:
{
"success":true
}
Test user action 10: The user returns to the home screen and intiates a new search for Hotels, in Tokyo.
Response from app: The following data is sent to graph.facebook.com, along with search results being shown
Form data:
format: json
sdk: android
custom_events_file: [{"_eventName":"hotel_search","_eventName_md5":"346355f80578322e62d0b3a084aacf07","_logTime":1543790515,"_ui":"unknown","_session_id":"9582dd9a-7d17-4b1e-8f2e-3eb88369c542","checkout_date_hotel_search":"2018-12-05","checkin_date_hotel_search":"2018-12-03","destination_id_hotel_search":"27542089","destination_name_hotel_search":"Tokyo"}]
event: CUSTOM_APP_EVENTS
advertiser_id: 474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled: true
installer_package: com.android.vending
anon_id: XZ91d69838-8980-4d1a-8e41-d6c21362b0b5
application_tracking_enabled: true
extinfo: ["a2","net.skyscanner.android.main",1811261925,"5.57","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,6,"Europe\/London"]
application_package_name: net.skyscanner.android.main
With the response:
{
"success":true
}
Test user action 11: The user closes the application
Response from app: No futher data is sent or received by the app from graph.facebook.com
Note 1: In the videos below, the clocks between the VirtualBox Virtual Machine and the Phone handset are not synchronised.
Note 2: The phone videos are split into multiple parts due to a 180 second limitation in Android Developer Bridge screenrecord command
Skyscanner, 22 December 2018 (via E-Mail to Privacy International)
“Many thanks for alerting Skyscanner to this issue. Our goal is to be as transparent and upfront as possible with travellers regarding what information is collected from them and who it is shared with. Since receiving your letter, we released an update to our app as a priority which will stop the transmission of data via the Facebook SDK. As a further result of this we will audit all our consent tracking and are committed to making any changes necessary to ensure that travellers privacy rights are fully respected.”