Mobile apps, especially free ones, often create extensive data trails, transmitting user information to unseen third parties through advertising networks – a process largely opaque to the average phone owner. Now, security researcher Tim Shott offers a method for individuals to potentially illuminate this activity, releasing an open-source guide and accompanying software toolkit designed to intercept and analyze the network traffic emanating from their own devices.
The resources aim to empower users to identify how information like location coordinates or IP addresses might be shared, often via the complex network of advertising technology partners integrated into apps.
The toolkit centers on mitmproxy, a well-regarded open-source interactive HTTPS proxy tool, which allows users to capture network requests between their phone and the internet. Complementing mitmproxy is a Python script (mitm_test.ipynb) that assists in parsing the captured data.
This script enables users to search the traffic logs for specific keywords – such as “lat”, “lon”, “ip”, or device identifiers – to flag potential data exposures. The project’s readme file provides instructions for setting up the proxy, configuring a mobile device to channel network traffic through it, and installing the necessary security certificate to decrypt and inspect secure HTTPS communications.
Context: Prior Research And Industry Risks
This public release follows the researcher’s earlier explorations detailed in a February 2025 blog post. Motivated by reports surrounding a January 2025 data breach affecting location data firm Gravy Analytics (which had merged with Unacast in 2023 and separately faced FTC action over data selling practices in December 2024), Shott investigated data collection using the mobile game “Stack by KetchApp”.
That initial work revealed frequent data transmissions. Notably, advertising components like Unity Ads were observed sending location coordinates and IP addresses even when device location services were toggled off. Facebook’s ad network was also observed receiving IP data without any direct user linkage within the app. Unity’s own developer documentation confirms its SDK collects device and diagnostic information, providing disclosures for app store privacy declarations, and outlines GDPR consent mechanisms for users in applicable regions.
Peering Into App Traffic
The researcher’s toolkit allows users to potentially observe such transmissions firsthand. After capturing traffic, the Python notebook helps filter the numerous requests. While this semi-manual approach requires user effort to examine the filtered results, Shott suggests it offers a way to potentially uncover unexpected data points, such as device screen brightness or headphone status, which were observed alongside IP and location data in the initial research. The researcher also produced a visual flowchart illustrating this complex data movement.
The Ad Tech Data Pipeline
The flow of data from an app often involves multiple intermediaries. Information gathered via an SDK from a Supply-Side Platform (SSP) – a service helping app publishers sell ad space, like Unity Ads – can be passed to Demand-Side Platforms (DSPs), such as Moloco, which help advertisers buy ad inventory. These platforms facilitate Real-Time Bidding (RTB) auctions.
As Shott research and reporting from outlets like Krebs on Security highlight, data shared in these bidstream requests can be accessible beyond the winning bidder. One commenter in an AdOps discussion forum noted, regarding who accesses bidstream data: “They access it if they integrate with the provider of bidstream, which would be the SSP. It’s on the SSP to verify the vendor to whom they give access to bids… SSPs want you to spend money… They might open up only part of the traffic to specific vendors… if you don’t bid worldwide, you won’t get the bidstream worldwide…”
This suggests data brokers specializing in location intelligence could potentially acquire data through these channels, as described by sources like Kaspersky.
Further complicating user privacy is the existence of services that explicitly link ostensibly anonymized Mobile Advertising IDs (MAIDs) – unique identifiers like Apple’s IDFA (Identifier for Advertisers) or Google’s AAID (Android Advertising ID) – back to real-world Personally Identifiable Information (PII).
Investigative reports, such as a 2021 piece by VICE/Motherboard, have documented how MAIDs can be correlated with names, physical addresses, phone numbers, and emails. Some data marketplaces, like Datarade, list datasets from companies like Redmob (previously noted as offering large global datasets) and AGR Marketing Solutions, the latter of which provided a public sample spreadsheet illustrating this MAID-to-PII linkage. This capability challenges the notion that MAID-based tracking preserves user anonymity.
Analysis from groups like the ACLU’s Data for Justice Project also points out that the ad industry utilizes techniques like “identity graphs” to track users even if they disable or reset their MAIDs.
A Community Watch Effort
Seeking to broaden the scope of investigation beyond personal experimentation, Shott has initiated a crowdsourcing project detailed in an April 2025 follow-up post. Users are encouraged to employ the provided tools to analyze apps, particularly those potentially implicated by the Gravy Analytics situation (a list derived from a leaked document is available in a shared Google Sheet).
A Google Form allows participants to submit their findings, contributing to a publicly accessible database documenting app data sharing behaviors. The form description explicitly warns users: “PLEASE CHECK ALL OF YOUR INPUTS FOR YOUR PERSONAL INFORMATION. This form is set in a way that I collect nothing personal from you (like email or Google account or whatever), but your response will be viewable by virtually anyone – so be aware!”
This approach aligns with trends seen in academic privacy research, where crowdsourcing helps gather real-world insights. The researcher, who also discussed these topics on a March 2025 episode of Malwarebytes’ “Lock and Code” podcast, cautions contributors to redact personal details before submission.
Alongside the analysis tools, the GitHub repository includes code for generating network graphs, visualizing the connections apps make and highlighting the prevalence of major ad tech domains like Unity, Google, and Applovin. During recent analysis, Shott also noted traffic involving an Apple location service endpoint (gs-loc.apple.com) using Protocol Buffers (protobuf), a common data serialization format, suggesting avenues for future investigation into how even platform-level services interact with app data collection.
