All Vendors
attribution

AppsFlyer

AppsFlyer is the dominant mobile attribution vendor serving over 15,000 brands, operating as a data processor that collects device-level signals across mobile and web channels while sharing user-level data with ad network partners by default and maintaining cross-device matching capabilities that link users across platforms.

164 IOCs
0
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what AppsFlyer discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

4 gaps

design_concern

HIGH
They Claim

Privacy-preserving SDK methods available

Observed Behavior

Privacy controls exist but user-level data sharing is ON by default; effectiveness depends on advertiser implementation, not platform defaults

pending_verification

MEDIUM
They Claim

Not a data broker or ad network

Observed Behavior

AppsFlyer states it does not sell user data, but cross-device matching using Platform Data aggregated across 15,000+ customers creates identity assets; Signal Hub data collaboration features blur the line between processor and platform

pending_verification

HIGH
They Claim

Fingerprinting-adjacent methods acceptable if output matches SKAdNetwork granularity

Observed Behavior

This interpretation of Apple privacy policy is self-serving and not confirmed by Apple; runtime SDK data collection behavior not yet verified via scanner

pending

UNKNOWN
They Claim

Awaiting full scanner observation

Observed Behavior

Analysis based on public documentation, SDK documentation, privacy policies, and product announcements. Runtime behavior of SDK, actual data collection scope, and postback contents require direct observation.

Customer Impact

What This Means For You

Revenue Risk: As the dominant MMP, AppsFlyer's attribution decisions directly control mobile marketing budget allocation for 15,000+ brands. Any systematic measurement bias affects billions in aggregate ad spend. The expansion into AI-powered campaign optimization means AppsFlyer's models increasingly influence not just measurement but actual marketing execution decisions. Data Exposure: Default-on user-level data sharing with ad network partners means organizations that have not explicitly configured privacy filters have been distributing Advertising IDs, IP addresses, and conversion data to every integrated partner. This exposure may have been occurring since integration setup without the marketing team's awareness of the default configuration. Compliance Risk: The fingerprinting-adjacent data collection approach creates regulatory ambiguity. Cross-device matching aggregates personal data across the 15,000+ customer base to build identity graphs, which may constitute processing beyond what individual app privacy policies disclose. Signal Hub's data collaboration features introduce new data sharing vectors that require privacy impact assessment. Competitive Intelligence: Attribution postbacks share conversion data with ad networks that serve competitors. Cross-device identity graphs built from Platform Data aggregate behavioral signals across your user base with data from thousands of other apps, creating intelligence that benefits the platform and its broader ecosystem.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for AppsFlyer

  • - Immediately audit your AppsFlyer partner integration configurations and implement setSharingFilterForPartners to restrict default user-level data sharing with ad networks that do not require it. - Review AppsFlyer's use of Platform Data (cross-device matching) and assess whether your privacy policy and user consent mechanisms adequately disclose this data processing. - Evaluate the Aggregated Advanced Privacy (AAP) framework and enable it for all partner integrations where user-level postbacks are not operationally required. - Assess the scope of data flowing into AppsFlyer's Signal Hub and data collaboration features, and determine whether these new capabilities introduce data sharing beyond your original measurement agreement. - Request written confirmation from AppsFlyer regarding their fingerprinting practices on iOS and whether any data collection methods in the SDK would be considered tracking under Apple's ATT framework.

Negotiation Leverage

  • Leverage Points: While AppsFlyer is the market leader, the MMP market includes strong alternatives (Adjust, Singular, Kochava, Branch) that create credible switching options. AppsFlyer's expansion into AI and data collaboration creates new revenue streams that depend on customer data volume, giving them incentive to retain large customers. The fingerprinting controversy creates reputational sensitivity that makes AppsFlyer responsive to privacy-focused contractual demands.
  • Key Questions: (1) Why is user-level data sharing with partners enabled by default rather than requiring opt-in? (2) What data from our SDK deployment is used as Platform Data for cross-device matching, and is this data aggregated with data from other AppsFlyer customers? (3) Does Signal Hub or any data collaboration feature use our data to benefit other brands or partners? (4) What specific data collection methods does the SDK use on iOS, and do any of these methods constitute fingerprinting under Apple's definition? (5) Can you contractually guarantee that our data is processed only for our measurement purposes and not used for platform-level products?
  • Contract Protections: Negotiate default-off data sharing configuration as a contractual requirement. Require explicit consent before any data is used for Platform Data, cross-device matching, or data collaboration features. Include audit rights covering data sharing with all integrated partners. Add contractual definition of fingerprinting aligned with Apple's ATT framework and require compliance. Negotiate data isolation provisions ensuring your data is not aggregated with other customers for platform-level products.
IOC Manifest

IOC Manifest

164 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.appsflyer.com/wp-content/themes/AF*/assets/js/mixpanel-init.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/themes/AF*/assets/js/vendors/jquery.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/themes/AF*/assets/js/vendors/gsap.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/themes/AF*/assets/js/vendors/ScrollTrigger.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/themes/AF*/assets/js/vendors/js.cookie.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/themes/AF*/assets/js/vendors/isotope.pkgd.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/plugins/appsflyer-blocks/build/product-hero-block/view.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/plugins/sitepress-multilingual-cms/res/js/cookies/language-cookie.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/themes/AF*/assets/js/mixpanel.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/plugins/highlighting-code-block/build/js/hcb_script.js*
Tracking script
TRACK
*go.appsflyer.com/js/forms2/js/forms2.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/themes/AF*/assets/js/gtm-tracking.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/themes/AF*/assets/js/vendors/intlTelInput.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/themes/AF*/assets/js/vendors/select2.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/themes/AF*/assets/js/vendors/slick.js*
Tracking script
TRACK
*www.appsflyer.com/wp-includes/js/clipboard.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/themes/AF*/assets/js/vendors/scrollPosStyler.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/themes/AF*/assets/js/vendors/jquery.magnific-popup.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/themes/AF*/assets/js/app.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/plugins/appsflyer-blocks/lib/js/InfiniteSlider.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/plugins/appsflyer-blocks/build/logo-strip-block/view.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/plugins/highlighting-code-block/assets/js/prism.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/plugins/appsflyer-blocks/build/showcase-block/view.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/plugins/appsflyer-blocks/build/solutions-slider-block/view.js*
Tracking script
TRACK
*www.appsflyer.com/wp-content/plugins/appsflyer-blocks/build/carousel-block/view.js*
Tracking script
TRACK
*www.appsflyer.com/wp-includes/js/wp-emoji-release.js*
Tracking script
TRACK
*websdk.appsflyer.com/*
Tracking script
TRACK
www.appsflyer.com/wp-content/plugins/sitepress-multilingual-cms/res/js/cookies/language-cookie.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/themes/AF2020/assets/js/vendors/jquery.min.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/themes/AF2020/assets/js/mixpanel-init.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/themes/AF2020/assets/js/vendors/gsap.min.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/themes/AF2020/assets/js/vendors/ScrollTrigger.min.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/themes/AF2020/assets/js/gtm-tracking.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/themes/AF2020/assets/js/mixpanel.min.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/themes/AF2020/assets/js/vendors/js.cookie.js
Auto-extracted from scan
TRACK
go.appsflyer.com/js/forms2/js/forms2.min.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/themes/AF2020/assets/js/vendors/select2.min.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/themes/AF2020/assets/js/vendors/intlTelInput.min.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/themes/AF2020/assets/js/vendors/slick.min.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/themes/AF2020/assets/js/vendors/isotope.pkgd.min.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-includes/js/clipboard.min.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/themes/AF2020/assets/js/vendors/scrollPosStyler.min.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/themes/AF2020/assets/js/vendors/jquery.magnific-popup.min.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/themes/AF2020/assets/js/app.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/plugins/highlighting-code-block/assets/js/prism.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/plugins/highlighting-code-block/build/js/hcb_script.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/plugins/appsflyer-blocks/build/product-hero-block/view.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/plugins/appsflyer-blocks/lib/js/InfiniteSlider.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/plugins/appsflyer-blocks/build/logo-strip-block/view.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/plugins/appsflyer-blocks/build/solutions-slider-block/view.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/plugins/appsflyer-blocks/build/showcase-block/view.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-content/plugins/appsflyer-blocks/build/carousel-block/view.js
Auto-extracted from scan
TRACK
www.appsflyer.com/wp-includes/js/wp-emoji-release.min.js
Auto-extracted from scan
TRACK
websdk.appsflyer.com/
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

AppsFlyer integrates with hundreds of ad networks, media platforms, and marketing technology providers. Major partners include Google, Meta, TikTok, Snap, Apple Search Ads, and CTV platforms. Data flows bidirectionally: device-level attribution signals are collected via the SDK, and conversion postbacks containing user-level data (Advertising IDs, IP addresses by default) are sent to integrated partners. The 2025 Signal Hub launch positions AppsFlyer as a data collaboration platform, facilitating data exchange between brands, partners, and media platforms. The Aggregated Advanced Privacy (AAP) framework provides optional controls for limiting user-level data sharing, but requires active implementation. AppsFlyer's ecosystem role has expanded from attribution intermediary to marketing data infrastructure, with AI-powered automation, predictive analytics, and cross-platform data collaboration capabilities that increase the volume and variety of data flowing through its infrastructure.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

164 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details