My Talking Tom / My Talking Hank etc

Retest Observations

We retested this app on 19.02.2019. The app doesn’t contact Facebook as soon as the app is opened.

Disclaimer: the tested app may still share data with other third parties. This is outside the scope of this work.

Read more

A collection of digital Tamagochi-like app with over 7 billion combined downloads

Observed Behaviour

This documentation demonstrates actions taken by the test user and the apps subsequent responses.

Test user action 1: The user taps on the application icon, which opens the application
Response from app: The application is initialised and the following data is sent and received by the app:

Immediately after the app is opened, the following data is sent to graph.facebook.com (Graph)

The following HTTP GET request is made to graph.facebook.com

GET https://graph.facebook.com/v3.0/1810807739198766?fields=supports_implicit_sdk_logging%2Cgdpv4_nux_content%2Cgdpv4_nux_enabled%2Cgdpv4_chrome_custom_tabs_enabled%2Candroid_dialog_configs%2Candroid_sdk_error_categories%2Capp_events_session_timeout%2Capp_events_feature_bitmask%2Cseamless_login%2Csmart_login_bookmark_icon_url%2Csmart_login_menu_icon_url&format=json&sdk=android HTTP/1.1

The app receives the following response from graph.facebook.com:

 {
  "supports_implicit_sdk_logging":true,"gdpv4_nux_enabled":false,"gdpv4_chrome_custom_tabs_enabled":true,"android_sdk_error_categories":[ {
    "name":"login_recoverable","items":[ {
      "code":102
    }
    , {
      "code":190
    }
    ],"recovery_message":"Please log in to this app again to reconnect your Facebook account."
  }
  ],"app_events_session_timeout":60,"app_events_feature_bitmask":7,"seamless_login":1,"smart_login_bookmark_icon_url":"https:\/\/static.xx.fbcdn.net\/rsrc.php\/v3\/yh\/r\/HyQ4Fq_iGUX.png","smart_login_menu_icon_url":"https:\/\/static.xx.fbcdn.net\/rsrc.php\/v3\/yR\/r\/xi3BPJ134MF.png","id":"1810807739198766"
}

 

Without any further user action, the app sends the following request to graph.facebook.com

Form data:
format:                       json
sdk:                          android
custom_events_file:           [{"_eventName":"fb_sdk_initialize","_eventName_md5":"d470d22f237aee69843355edba5a8178","_logTime":1543939641,"_ui":"unknown","_implicitlyLogged":"1","core_lib_included":"1","login_lib_included":"1","share_lib_included":"1"},{"_eventName":"fb_mobile_activate_app","_eventName_md5":"cb7f3b6cd294afce05ece615d43ea7b9","_logTime":1543939641,"_ui":"MyTalkingHankNativeActivity","_session_id":"8edfc39a-b228-4001-bbee-c38c458876a4","fb_mobile_launch_source":"Unclassified()"}]
event:                        CUSTOM_APP_EVENTS
advertiser_id:                474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled:  true
installer_package:            com.android.vending
anon_id:                      XZ1483bf8a-8e80-4e4d-8d0c-8dfefdeb4aa9
application_tracking_enabled: true
extinfo:                      ["a2","com.outfit7.mytalkinghank",240,"1.8.3.161","8.1.0","Nexus 5","en_GB","","NoCarrier",1080,1776,"3.00",4,-1,-1,""]
application_package_name:     com.outfit7.mytalkinghank

The app receives the following response from graph.facebook.com:

 {
  "success":true
}

 

Without any further user action, the app sends the following request to graph.facebook.com

format:                       json
sdk:                          android
event:                        MOBILE_APP_INSTALL
advertiser_id:                474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled:  true
installer_package:            com.android.vending
anon_id:                      XZ1483bf8a-8e80-4e4d-8d0c-8dfefdeb4aa9
application_tracking_enabled: true
extinfo:                      ["a2","com.outfit7.mytalkinghank",240,"1.8.3.161","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,5,"Europe\/London"]
application_package_name:     com.outfit7.mytalkinghank

The app receives the following response from graph.facebook.com:

 {
  "success":true
}

 

Test user action 2: The user makes further interaction with app
Response from app: No futher data is sent to graph.facebook.com while the app is running

 

Test user action 3: The user closes the app gracefully
Response from app: The following data is sent to graph.facebook.com

The app sends the following request to graph.facebook.com

Form data:
format:                       json
sdk:                          android
custom_events_file:           [{"_eventName":"fb_mobile_deactivate_app","_eventName_md5":"92255b491a4e25b5d809edcf3665affe","_logTime":"1543939840","_ui":"MyTalkingHankNativeActivity","_session_id":"8edfc39a-b228-4001-bbee-c38c458876a4","_valueToSum":198,"fb_mobile_time_between_sessions":"session_quanta_0","fb_mobile_launch_source":"Unclassified()","fb_mobile_app_interruptions":"0"}]
event:                        CUSTOM_APP_EVENTS
advertiser_id:                474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled:  true
installer_package:            com.android.vending
anon_id:                      XZ1483bf8a-8e80-4e4d-8d0c-8dfefdeb4aa9
application_tracking_enabled: true
extinfo:                      ["a2","com.outfit7.mytalkinghank",240,"1.8.3.161","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,5,"Europe\/London"]
application_package_name:     com.outfit7.mytalkinghank

The app receives the following response from graph.facebook.com:

 {
  "success":true
}
Notes and Commentary

Note 1: In the videos below, the clocks between the VirtualBox Virtual Machine and the Phone handset are not synchronised.

Company Response

My Talking Hank and My Talking Tom (Outfit7), 27 December 2018 (via E-Mail to Privacy International) 

“Thank you for taking the time to review our privacy practices. We take the privacy of our users very seriously, so we’re glad to have the chance to cooperate with Privacy International. 

To demonstrate our commitment to the privacy of our users, we’ve undergone the robust certification process for compliance with the GDPR and we’re also members of the ePrivacyApp certification program (the “Program”). ePrivacy is an independent, third-party organization specializing in digital data protection. As part of the Program, Outfit7's Talking Tom and Friends and other characters applications are subject to a comprehensive inspection and certification of the applications with respect to ensure that the applications live up to the high demands in the field of data protection and can provide a high level of security of end user data. 

Please note that we are aware of the problem with Facebook SDK and we have been actively working on finding solutions to ensure privacy of our end user data. Please see exhibit A - Jira Ticket - which clearly shows that we started working on updating Facebook SDK already in September, 2018 in order to ensure that end user data is being collected in compliance with the law. For the EEA territory, which includes UK, the internal instructions were, that all app events, together with the advertising ID, sent to graph.facebook.com must be disabled for users that are below 16 or do not pass the localized age gate (meaning age gate, which is set in accordance with the local legislation regarding the year of consent). For users that are above 16 or pass the localized age gate, Facebook login SDK must be added to our consent tool and no app event data (including advertising ID), should be sent to graph.facebook.com unless user gives consent. On October 17, 2018, we have decided to entirely disable transmission of app events data (including advertising ID) to graph.facebook.com regardless of the fact whether user passed the age gate or not. Please note that in order for us to update Facebook SDK in a particular app, the app needs to be updated, which was done in a regular course of updates. The first app that was updated with the updated Facebook SDK was Talking Tom Gold Run (November 20, 2018). My Talking Tom and My Talking Angela apps were updated on December 20, 2018. All the other apps, including My Talking Hank, will get updated by the end of February 2019.”

Date Tested
03/12/2018
App Version
1.8.3.161
Number of App Installs (according to Google Play Store at time of analysis)
500,000,000+
Facebook SDK Version
4.33.0
Opt out of Ads Personalisation (Google Settings)
Not Enabled (Default Setting)