All Vendors
marketing_automation

OneSignal

OneSignal embeds persistent device-level tracking infrastructure across web push, mobile, email, SMS, and in-app channels, with a free tier business model that historically monetized user behavioral data by sharing it with advertisers.

63 IOCs
0
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what OneSignal discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

4 gaps

tracking

MEDIUM
They Claim

Does not use cookies for web tracking

Observed Behavior

Uses Local Storage and IndexedDB which persist beyond cookie clearing and may bypass cookie consent mechanisms

data_sharing

HIGH
They Claim

Free push notification service

Observed Behavior

Free tier historically monetizes by sharing user behavioral and transaction data with advertisers

pending

UNKNOWN
They Claim

Awaiting scanner verification

Observed Behavior

Runtime behavior analysis pending to confirm SDK initialization timing, data transmission pre-consent, and Local Storage usage patterns

Customer Impact

What This Means For You

Organizations deploying OneSignal are installing persistent device-level tracking infrastructure that generates unique identifiers and monitors user engagement across all messaging channels. On free tier deployments, user behavioral and transaction data is shared with advertisers, making the site's push notification infrastructure a de facto advertising data pipeline. The default SDK configuration transmits device data before consent events, creating pre-consent data exposure on every page load. For organizations subject to GDPR or ePrivacy Directive, the Local Storage tracking approach and default pre-consent data transmission require explicit technical mitigation that is not enabled by default.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for OneSignal

  • - Verify SDK consent configuration: ensure requiresUserPrivacyConsent is enabled to prevent pre-consent data transmission to OneSignal servers. - Audit free vs paid tier implications: if on free tier, understand that user data is shared with advertisers and evaluate upgrade to eliminate data monetization. - Review Local Storage and IndexedDB entries created by OneSignal SDK and ensure these are covered by your consent management platform. - Evaluate AppsFlyer, Firebase, and other integration data flows to map where OneSignal-collected behavioral data propagates. - Implement server-side push delivery where possible to reduce client-side SDK footprint and associated tracking surface.

Negotiation Leverage

  • OneSignal's negotiation position is significantly weakened by the free tier data monetization model, which shares user data with advertisers. This creates immediate leverage: demand contractual confirmation that paid tier data is not used for advertising purposes and request audit certification. The default pre-consent SDK behavior is a second pressure point. Require OneSignal to confirm in writing that their SDK respects consent state when properly configured, and negotiate SLA terms around consent configuration support. For enterprise contracts, demand data residency options, sub-processor transparency, and explicit restrictions on behavioral data use beyond contracted messaging services. The ISO 27001/27701 certifications provide security assurance but do not address the fundamental data monetization business model.
IOC Manifest

IOC Manifest

63 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*onesignal.com/cdn-cgi/scripts/*/cloudflare-static/rocket-loader.js*
Tracking script
TRACK
*cdn.onesignal.com/sdks/OneSignalSDK.js*
Tracking script
TRACK
*onesignal.com/js/individual-pages/highlight-min.js*
Tracking script
TRACK
*onesignal.com/js/individual-pages/lottie-player-min.js*
Tracking script
TRACK
*onesignal.com/js/individual-pages/marquee-min.js*
Tracking script
TRACK
*onesignal.com/js/individual-pages/platform-min.js*
Tracking script
TRACK
*onesignal.com/js/main-min.js*
Tracking script
TRACK
*onesignal.com/js/individual-pages/carousel-min.js*
Tracking script
TRACK
*cdn.onesignal.com/sdks/OneSignalPageSDKES6.js*
Tracking script
EXFIL
*onesignal.com/api/v1/sync/*-6e87-*-9b6f-*/web*
Data collection endpoint
TRACK
*media-cms.onesignal.com/cms/Website%20Layout/home-live-activities.json*
Tracking script
TRACK
*media-cms.onesignal.com/cms/Website%20Layout/home-web-push-notifications.json*
Tracking script
TRACK
*media-cms.onesignal.com/cms/Website%20Layout/home-sms.json*
Tracking script
TRACK
*media-cms.onesignal.com/cms/Website%20Layout/home-in-app-messaging.json*
Tracking script
TRACK
*media-cms.onesignal.com/cms/Website%20Layout/home-mobile-push-notifications.json*
Tracking script
TRACK
*media-cms.onesignal.com/cms/Website%20Layout/home-create-intelligent-journeys-that-captivate-v2.json*
Tracking script
TRACK
*media-cms.onesignal.com/cms/Website%20Layout/home-measure-and-maximize-impact.json*
Tracking script
EXFIL
*media-cms.onesignal.com/cms/Website%20Layout/home-deliver-personalized-messaging-at-scale.json*
Data collection endpoint
TRACK
*media-cms.onesignal.com/cms/Website%20Layout/home-email.json*
Tracking script
TRACK
onesignal.com/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js
Auto-extracted from scan
TRACK
cdn.onesignal.com/sdks/OneSignalSDK.js
Auto-extracted from scan
TRACK
onesignal.com/js/individual-pages/highlight-min.js
Auto-extracted from scan
TRACK
onesignal.com/js/individual-pages/marquee-min.js
Auto-extracted from scan
TRACK
onesignal.com/js/individual-pages/platform-min.js
Auto-extracted from scan
TRACK
onesignal.com/js/individual-pages/lottie-player-min.js
Auto-extracted from scan
TRACK
onesignal.com/js/individual-pages/carousel-min.js
Auto-extracted from scan
TRACK
onesignal.com/js/main-min.js
Auto-extracted from scan
TRACK
cdn.onesignal.com/sdks/OneSignalPageSDKES6.js
Auto-extracted from scan
EXFIL
onesignal.com/api/v1/sync/ab76e2a0-6e87-4143-9b6f-452adb3e0742/web
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

OneSignal operates in the customer messaging and engagement platform ecosystem alongside Braze, Airship, Pushwoosh, and Firebase Cloud Messaging. It integrates with Firebase, WordPress, Shopify, AppsFlyer, and custom APIs. Key data flow pathways include AppsFlyer (mobile attribution data exchange), Firebase (analytics and event data), and various webhook-based custom integrations. The SDK's runtime footprint includes service worker registration for web push, Local Storage and IndexedDB for state persistence, and network requests to OneSignal infrastructure for every message delivery and interaction event. Sites deploying OneSignal typically pair it with analytics platforms and attribution services, creating a multi-vendor engagement tracking stack where user behavioral data flows through multiple intermediaries.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

63 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details