APP’s Persistent Lies, Denying Use of Persistent IDs (APP US) – Muddy Waters
AppLovin's privacy tracking scandal exposed: Persistent identifiers violate user privacy, enabling cross-domain ad tracking through Max SDK, risking regulatory action and platform deplatforming.
AppLovin (APP) CEO and CTO responded to Muddy Waters' initial report (dated Match 27, 2025) with demonstrably false statements. In contrast to its CEO and CTO’s claims, APP continues to use persistent identifiers that violate users’ privacy and partner platforms’ terms of service.
Stock info:
- Ticker: APP (NASDAQ)
- Position: Muddy Waters Research is short APP and stands to profit if the stock price declines
Why it matters:
- AppLovin's CEO Adam Foroughi and CTO Basil Shirkin publicly denied using persistent identifiers, but technical evidence reveals the company actively deploys and reuses tracking tokens across domains
- AppLovin circumvents privacy protections by generating persistent tokens (initially "compass_random_token," later relabeled as "alart" and "art") that track users across mobile apps, browsers, and e-commerce websites
- Third-party technical investigation by Permanent Record Research (PRR) confirmed AppLovin's persistent identity graphs (PIGs) enable cross-application tracking even when users opt out of IDFA tracking
- Detailed HTTP logs show identical persistent tokens (e.g., "285035d2-a4bf-4275-bd06-31ea02d6a9fe") appearing across multiple e-commerce websites and AppLovin domains
- AppLovin's practices differ significantly from industry standards, where companies like Google and Facebook use unique session identifiers rather than persistent cross-domain tracking
- The report suggests these practices put AppLovin at risk of deplatforming and regulatory action, particularly from major partners like Meta
Between the lines:
- When AppLovin's Max SDK launches, it generates persistent tokens that link device and user data, enabling continuous tracking during ad auctions
- The company's retargeting system relies on tracking user behavior across applications, demonstrating how a user interaction in a mobile game leads to targeted ads based on previous website visits
- AppLovin disguises its persistent tracking by renaming identifiers while maintaining the underlying values, creating an identifiable link between users, games, and online stores
- The report includes visual evidence mapping persistent identifiers and illustrating AppLovin's cross-domain tracking mechanics
- Muddy Waters argues that AppLovin focuses heavily on retargeting existing customers rather than acquiring new ones, leveraging data connections between their applications and external e-commerce websites
FAQs:
What exactly is AppLovin accused of doing?
AppLovin is accused of creating and using persistent identifiers to track users across applications and websites, despite public denials from its executives. These identifiers enable detailed user tracking and targeted advertising even when users have opted out of cross-app tracking.
How does AppLovin's tracking system work?
AppLovin's Max SDK generates persistent tokens when launched on a device. These tokens, along with device and network data, create a "persistent identity graph" (PIG) that identifies users across mobile apps, browsers, and e-commerce sites, bypassing privacy sandboxing meant to prevent cross-domain tracking.
What evidence supports these allegations?
The report includes detailed HTTP logs showing identical persistent tokens appearing across multiple websites and AppLovin domains, video analysis from Permanent Record Research demonstrating the tracking mechanics, and documented examples of retargeting ads served based on cross-application user behavior.
How does AppLovin's tracking differ from industry standards?
Unlike Google and Facebook, which use unique session identifiers per domain, AppLovin reuses the same persistent tokens across multiple domains and applications, allowing for more invasive cross-domain tracking that potentially violates privacy expectations.
What risks does AppLovin face if these allegations are true?
The company could face deplatforming from major partners like Meta, increased regulatory scrutiny for privacy violations, margin compression as competitors adopt similar techniques, and potential loss of customer base and revenues if advertisers become concerned about privacy compliance.
Why would AppLovin executives misrepresent their data practices?
According to Muddy Waters, the misrepresentations may be driven by fears of de-platforming for privacy violations and risks of margin compression from competitors if their actual practices were widely known.
Disclaimer
This summary is based on a report by Muddy Waters. For the full, detailed analysis, please refer to the original source material: https://muddywatersresearch.com/research/2025/app-persistent-lies/
ShortReport.fyi is not the author or originator of the content provided in this publication. We act solely as a distributor of the content and do not endorse, verify, or take responsibility for the accuracy, completeness, or reliability of the information presented. Each author retains full ownership and responsibility for their respective content, including any opinions, projections, or analyses expressed therein.
This publication is for informational purposes only and should not be construed as legal, business, investment, or tax advice. Readers are advised to consult the original source material and seek guidance from qualified professionals before making any decisions based on the information contained herein.
ShortReport.fyi disclaims all liability for any loss or damage arising from reliance on the content provided by third parties. The views expressed in these materials are solely those of the respective authors and do not necessarily reflect the views or opinions of ShortReport.fyi.