Sign up to Newsletter

Period Tracker Clue: Period & Ovulation Calculator

Retest Observations

We retested this app on 17/02/2019. The app still contacts Facebook as soon as the app is opened, but no longer shares your Google advertising ID.

Disclaimer: the tested app may still share data with other third parties. This is outside the scope of this work.

Read more

From the Google Play Store page:

"Clue is a period tracker and ovulation app that uses science and data to help you discover the unique patterns in your menstrual cycle. Use Clue to remind you about your period, PMS, ovulation and fertility".

Observed Behaviour

 This documentation demonstrates actions taken by the test user and the apps subsequent responses.

Test user action 1: The user taps on the application icon, which opens the application
Response from app: The application is initialised and the following data is sent and received by the app:

Immediately after the app is opened, the following data is sent to graph.facebook.com (Graph)

The app sends the following HTTP GET request to graph.facebook.com

GET https://graph.facebook.com/v3.1/337038496678353?fields=supports_implicit_sdk_logging%2Cgdpv4_nux_content%2Cgdpv4_nux_enabled%2Cgdpv4_chrome_custom_tabs_enabled%2Candroid_dialog_configs%2Candroid_sdk_error_categories%2Capp_events_session_timeout%2Capp_events_feature_bitmask%2Cauto_event_mapping_android%2Cseamless_login%2Csmart_login_bookmark_icon_url%2Csmart_login_menu_icon_url&format=json&sdk=android HTTP/1.1

With the response

 {
  "supports_implicit_sdk_logging":true,"gdpv4_nux_enabled":false,"gdpv4_chrome_custom_tabs_enabled":true,"android_sdk_error_categories":[ {
    "name":"login_recoverable","items":[ {
      "code":102
    }
    , {
      "code":190
    }
    ],"recovery_message":"Please log in to this app again to reconnect your Facebook account."
  }
  ],"app_events_session_timeout":60,"app_events_feature_bitmask":5,"seamless_login":1,"smart_login_bookmark_icon_url":"https:\/\/static.xx.fbcdn.net\/rsrc.php\/v3\/yh\/r\/HyQ4Fq_iGUX.png","smart_login_menu_icon_url":"https:\/\/static.xx.fbcdn.net\/rsrc.php\/v3\/yR\/r\/xi3BPJ134MF.png","id":"337038496678353"
}

Without any further user action, the app sends the following request to graph.facebook.com

Form data:
format:                       json
sdk:                          android
custom_events_file:           [{"_eventName":"fb_sdk_initialize","_eventName_md5":"d470d22f237aee69843355edba5a8178","_logTime":1543921807,"_ui":"unknown","_implicitlyLogged":"1","core_lib_included":"1","login_lib_included":"1","billing_service_lib_included":"1"},{"_eventName":"fb_mobile_activate_app","_eventName_md5":"cb7f3b6cd294afce05ece615d43ea7b9","_logTime":1543921808,"_ui":"WheelActivity","_session_id":"02998fab-e051-41af-81eb-4b2d7486015b","fb_mobile_launch_source":"Unclassified()"}]
event:                        CUSTOM_APP_EVENTS
advertiser_id:                474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled:  true
installer_package:            com.android.vending
anon_id:                      XZf52c327f-a342-4fa6-a20e-ae6e4b14a99e
application_tracking_enabled: true
extinfo:                      ["a2","com.clue.android",2430,"5.4.0","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,6,"Europe\/London"]
application_package_name:     com.clue.android

With the response:

 {
  "success":true
}
Without any further user action, the app sends the following request to graph.facebook.com

format:                       json
sdk:                          android
event:                        MOBILE_APP_INSTALL
advertiser_id:                474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled:  true
installer_package:            com.android.vending
anon_id:                      XZf52c327f-a342-4fa6-a20e-ae6e4b14a99e
application_tracking_enabled: true
extinfo:                      ["a2","com.clue.android",2430,"5.4.0","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,6,"Europe\/London"]
application_package_name:     com.clue.android

With the response:

 {
  "success":true
}

 

Test user action 2: The user makes further interaction with app
Response from app: No futher data is sent to graph.facebook.com

Test user action 3: The user closes the application
Response from app: No futher data is sent or received by the app from graph.facebook.com

 

Notes and Commentary

Note 1: In the videos below, the clocks between the VirtualBox Virtual Machine and the Phone handset are not synchronised.
Note 2: The phone videos are split into multiple parts due to a 180 second limitation in Android Developer Bridge screenrecord command

Company Response

28 December 2018 (via E-Mail to Privacy International) 

"Clue uses the SDK to provide certain service features such as a login to the Clue app with Facebook credentials which means we do share usage information containing the meta-data of the app-usage with Facebook. We don’t share any personal data of our users with Facebook.

We believe that this is something we should make clearer to our users and have already begun procedures to update our privacy policy in this regard."

Links to Analysis Videos
VirtualBox Screen Capture (Raw)
Phone Screen Capture (Raw) -Part 1
Phone Screen Capture (Raw) -Part 2
Date Tested
04/12/2018
App Version
5.4.0
Area of work
Investigating Apps interactions with Facebook on Android
Number of App Installs (according to Google Play Store at time of analysis)
10,000,000+
Facebook SDK Version
4.36.1
Store Link
https://play.google.com/store/apps…
Opt out of Ads Personalisation (Google Settings)
Not Enabled (Default Setting)