Calorie Counter - MyFitnessPal

Retest Observations

We retested this app on 19/02/2019. The app still contacts Facebook as soon as the app is opened, but no longer shares your Google advertising ID.

Disclaimer: the tested app may still share data with other third parties. This is outside the scope of this work.

Read more

From the Google Play Store page:

"Whether you want to lose weight, tone up, get healthy, change your habits, or start a new diet MyFitnessPal has you covered. Our members have lost over 200 million pounds and 88% of people who track for at least 7 days on MyFitnessPal lose weight. Sign up for FREE and start living a happier and healthier life today!"

Observed Behaviour

 This documentation demonstrates actions taken by the test user and the apps subsequent responses.

Test user action 1: The user taps on the application icon, which opens the application
Response from app: The application is initialised and the following data is sent and received by the app:

Immediately after the app is opened, the following data is sent to graph.facebook.com (Graph)

The following HTTP GET request is made to graph.facebook.com

GET https://graph.facebook.com/v3.2/186796388009496/button_auto_detection_device_selection?fields=is_selected&format=json&sdk=android&device_id=474364c6-e9cf-4971-8dd2-b1dc3c605450 HTTP/1.1

The app receives the following response from graph.facebook.com:

 {
  "data":[ {
    "is_selected":false
  }
  ]
}

 

Without any further user action, the app sends the following request to graph.facebook.com

format:                       json
sdk:                          android
event:                        MOBILE_APP_INSTALL
advertiser_id:                474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled:  true
installer_package:            com.android.vending
anon_id:                      XZc87fa4d6-875d-4606-a00f-6e585dd444c7
application_tracking_enabled: true
extinfo:                      ["a2","com.myfitnesspal.android",11334,"18.11.0","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,6,"Europe\/London"]
application_package_name:     com.myfitnesspal.android

The app receives the following response from graph.facebook.com:

 {
  "success":true
}

 

Without any further user action, the app sends the following request to graph.facebook.com

format:                       json
sdk:                          android
custom_events:                [{"_eventName":"fb_sdk_initialize","_eventName_md5":"d470d22f237aee69843355edba5a8178","_logTime":1543925052,"_ui":"unknown","_implicitlyLogged":"1","core_lib_included":"1","marketing_lib_included":"1","login_lib_included":"1","billing_service_lib_included":"1","places_lib_included":"1","all_lib_included":"1","share_lib_included":"1","messenger_lib_included":"1","applinks_lib_included":"1"},{"_eventName":"fb_mobile_activate_app","_eventName_md5":"cb7f3b6cd294afce05ece615d43ea7b9","_logTime":1543925052,"_ui":"Welcome","_session_id":"4ff2d350-54bc-4ebe-8556-021d5dc15711","fb_mobile_launch_source":"Unclassified"}]
event:                        CUSTOM_APP_EVENTS
advertiser_id:                474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled:  true
installer_package:            com.android.vending
anon_id:                      XZc87fa4d6-875d-4606-a00f-6e585dd444c7
application_tracking_enabled: true
extinfo:                      ["a2","com.myfitnesspal.android",11334,"18.11.0","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,6,"Europe\/London"]
application_package_name:     com.myfitnesspal.android

With the response:

 {
  "success":true
}

 

Test user action 2: The user makes further interaction with app
Response from app: No futher data is sent to graph.facebook.com

Test user action 3: The user closes the application
Response from app: No futher data is sent or received by the app from graph.facebook.com

Notes and Commentary

Note 1: In the videos below, the clocks between the VirtualBox Virtual Machine and the Phone handset are not synchronised.

Company Response

My Fitness Pal (Under Armour), 26 December 2018 (via E-Mail to Privacy International) 

“Thank you for reaching out regarding our data privacy practices and program.  The SDK identified is a common analytics tool. It provides information that allow apps, like MyFitnessPal, to improve the services provided to their user communities (i.e., it serves to provide an aggregative view of app installs, app open, and in app purchase activity – information that is then used to enhance the app experience).  MyFitnessPal specifically outlines this to users in its Privacy Policy as analytics processed for a legitimate interest as permitted under Art. 6 (1) (f) of the General Data Protection Regulation (GDPR), namely “… to enhance … [user] experience and to develop and improve our Services.” We trust this explanation responds to your inquiry. Please let us know if you have any follow up questions.” 

Date Tested
04/12/2018
App Version
18.11.0
Number of App Installs (according to Google Play Store at time of analysis)
50,000,000+
Facebook SDK Version
4.38.1
Opt out of Ads Personalisation (Google Settings)
Not Enabled (Default Setting)