VK (vkontakte)

Retest Observations

We retested this app on 05.03.2019. The app doesn’t contact Facebook as soon as the app is opened.

Disclaimer: the tested app may still share data with other third parties. This is outside the scope of this work.

From the Google Play Store page:

"VK unites millions of people through the messaging and sharing of news from anywhere around the globe.

You can send messages, share stories and photos, watch videos and live streams, listen to music, play games, join communities and discover a whole new world of talented artists."

Observed Behaviour

This documentation demonstrates actions taken by the test user and the apps subsequent responses.

Test user action 1: The user taps on the application icon, which opens the application
Response from app: The application is initialised and the following data is sent and received by the app:

Immediately after the app is opened, the following data is sent to graph.facebook.com (Graph)

format:                       json
sdk:                          android
event:                        MOBILE_APP_INSTALL
advertiser_id:                474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled:  true
installer_package:            com.android.vending
anon_id:                      XZ801b9f8d-9395-4bbd-8396-83fe6ff66d38
application_tracking_enabled: true
extinfo:                      ["a2","com.vkontakte.android",2978,"5.23","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,8,"Europe\/London"]
application_package_name:     com.vkontakte.android

The app receives the following response from graph.facebook.com:

 {
  "success":true
}

Without any further user action, the app sends the following request to graph.facebook.com

Form data:
format:                       json
sdk:                          android
custom_events_file:           [{"_eventName":"fb_sdk_initialize","_eventName_md5":"d470d22f237aee69843355edba5a8178","_logTime":1543758287,"_ui":"unknown","_implicitlyLogged":"1","core_lib_included":"1","login_lib_included":"1","share_lib_included":"1"}]
event:                        CUSTOM_APP_EVENTS
advertiser_id:                474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled:  true
installer_package:            com.android.vending
anon_id:                      XZ801b9f8d-9395-4bbd-8396-83fe6ff66d38
application_tracking_enabled: true
extinfo:                      ["a2","com.vkontakte.android",2978,"5.23","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,8,"Europe\/London"]
application_package_name:     com.vkontakte.android

The app receives the following response from graph.facebook.com:

 {
  "success":true
}

Test user action 2: The login screen was shown, and sign up was selected
Test user action 3: Sign up was not completed

Without any further user action, the app sends the following request to graph.facebook.com

Form data:
format:                       json
sdk:                          android
custom_events_file:           [{"_eventName":"fb_mobile_activate_app","_eventName_md5":"cb7f3b6cd294afce05ece615d43ea7b9","_logTime":1543758341,"_ui":"AuthActivity","_session_id":"532f794b-64b3-4822-b16a-09fc92fb9bbf","fb_mobile_launch_source":"Unclassified"}]
event:                        CUSTOM_APP_EVENTS
advertiser_id:                474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled:  true
installer_package:            com.android.vending
anon_id:                      XZ801b9f8d-9395-4bbd-8396-83fe6ff66d38
application_tracking_enabled: true
extinfo:                      ["a2","com.vkontakte.android",2978,"5.23","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,8,"Europe\/London"]
application_package_name:     com.vkontakte.android

The app receives the following response from graph.facebook.com:

 {
  "success":true
}

Test user action 4: The user closes the app gracefully
Response from app: The following data is sent to graph.facebook.com

The app sends the following request to graph.facebook.com

Form data:
format:                       json
sdk:                          android
custom_events_file:           [{"_eventName":"fb_mobile_deactivate_app","_eventName_md5":"92255b491a4e25b5d809edcf3665affe","_logTime":"1543758446","_ui":"SignupActivity","_session_id":"532f794b-64b3-4822-b16a-09fc92fb9bbf","_valueToSum":104,"fb_mobile_time_between_sessions":"session_quanta_0","fb_mobile_launch_source":"Unclassified","fb_mobile_app_interruptions":"0"}]
event:                        CUSTOM_APP_EVENTS
advertiser_id:                474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled:  true
installer_package:            com.android.vending
anon_id:                      XZ801b9f8d-9395-4bbd-8396-83fe6ff66d38
application_tracking_enabled: true
extinfo:                      ["a2","com.vkontakte.android",2978,"5.23","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,8,"Europe\/London"]
application_package_name:     com.vkontakte.android

The app receives the following response from graph.facebook.com:

 {
  "success":true
}

Notes and Commentary

Note 1: In the videos below, the clocks between the VirtualBox Virtual Machine and the Phone handset are not synchronised.

Company Response

VK, 27 December 2018 (via E-Mail to Privacy International)

"VK apps use standard Facebook Login, Sharing and Core SDKs to provide VK users the ability to find friends from Facebook and share their VK content. In particular, VK:

- provides users the ability to log in into VK app via their Facebook account (FB OAUTH),

- allows users find their Facebook friends on VK,

- provides users the ability to share VK posts and videos on their Facebook account.

All of this is disclosed in our Privacy Policy: https://vk.com/privacy/eu

We do not use the data transmitted via Facebook SDKs for any analytical or tracking purposes."

Links to Analysis Videos

VirtualBox Screen Capture (Raw)

Phone Screen Capture (Raw)

Date Tested

02/12/2018

App Version

5.23