Rovio, the maker of the massively popular Angry Birds, makes no secret about collecting personal data from those who download and play its games. But an analysis from the advanced threat detection firm FireEye is helping to expose the extend of data harvesting, and also to sketch out the blurry line that separates Rovio and third-party advertising networks it contracts with.
In a blog post on Thursday, FireEye analysts Jimmy Suo and Tao Wei described the findings of an investigation into the interaction between Rovio’s mobile applications, including the latest version of Angry Birds, and third party ad networks such as Jumptap and Millenial Media.
Using FireEye’s Mobile Threat Prevention (MTP), the two gathered and analyzed network packet capture (PCap) information and analyzed the workings of Angry Birds and its communications with third-party ad networks. The two were able to reveal a multi-stage information sharing operation, tracking code paths from the reverse-engineered source code of both the ad platforms and Rovio’s applications.
Rovio came under fire after documents absconded with by former NSA contractor Edward Snowden and made public by The Guardian revealed that the mobile game maker’s “leaky” applications were being used by U.S. intelligence agencies including the National Security Agency and British GCHQ to gather information on persons of interest.
Rovio, based in Espoo Finland, forcefully denied those charges. “Rovio Entertainment Ltd…does not share data, collaborate or collude with any government spy agencies such as NSA or GCHQ anywhere in the world,” the company said. However, the company did allow that surveillance “may be conducted through third-party advertising networks used by millions of commercial web sites and mobile applications across all industries.” And “if advertising networks are indeed targeted, it would appear that no internet-enabled device that visits ad-enabled web sites or uses ad-enabled applications is immune to such surveillance,” the company warned, saying it does not allow any third-party network to use or hand over personal end-user data from Rovio’s apps.
FireEye’s analysis concludes that drawing a line between Rovio and its third-party ad network partners may be a distinction without much of a difference.
Angry Birds’ data management service, “ad-x.co.uk,” was observed sharing information with third-party networks through Version 4.0.0 of Angry Birds. And some data sharing was observed in version 4.1.0, which was released on March 4. Data shared includes a wide range of personal information. Those who download a game and register may only surrender their e-mail, birthday and a password. Sign up for a newsletter, and Rovio collects your first and last name, email address, date of birth, country of residence, and gender. The aggregated information is sent to Rovio’s cloud back end and compiled with other information based on the registered email address.
Among the companies using that data are Rovio partner Burstly, which makes an ad library embedded in Angry Birds and which Rovio uses as an ad adapter to link it to other third-party ad clouds including Jumptap and Millennial Media. The company also links to Skyrocket.com, an app monetization service provided by Burstly and uses players’ personal data to target ads.