Molotov leaks your email address

Watching TV incognito? Forget it

Published by Pixel de Tracking on March 22, 2020

Molotov and your email address: a far from exclusive relationship

After Mapstr, I am continuing my analysis of apps with Molotov, a polished application for watching TV online.

To identify the tracking tools installed by Molotov, I followed this procedure on my iPhone:

  • Close the different background applications
  • Launch Charles Proxy and enable tracking
  • Launch the Molotov application, then browse the app
  • Export the logs from my Charles Proxy session to my computer

Molotv - tracking Braze

As you can see above, Molotov allows many third-party companies to track you, including:

  • Google : via Crashlytics (crash reports) and directly (especially for Chromecast). No surprise: Google is present in most apps.
  • Facebook : here too, no surprise, Facebook appears in most apps. Why does Molotov use Facebook services? To report app installs, conversions and usage data to Facebook Analytics, as explained in Facebook's developer documentation.
  • Segment : a tool that centralizes the sending of user data to third parties (a “tag management” tool particularly well suited to apps). Note that Molotov sends Segment a hash of your email address, which is no guarantee of privacy because some companies offer to recover an email address from a hash for only $0.04.
  • Adjust : a mobile marketing company specializing in advertising campaign attribution (knowing which ad led you to install Molotov). Adjust also receives the hash of your email address.
  • Amplitude : an analytics tool. Molotov leaks the hash of your email address here too.
  • Braze : another analytics tool, used to interact with users via in-app messages and notifications. Here it is even worse: Molotov leaks your email address in plain text.

A vague privacy policy, far from GDPR-compliant

If we now look at the Molotov privacy policy, here is the paragraph concerning the transfer of your personal data to third parties:

We may share your data with third parties as set out below:

Subcontractors: who provide services on our behalf, such as the provision of CRM and customer support software, analytics solutions, IT services and payment transaction processing. Our subcontractors' access to your data in the provision of these services is limited and governed by the written agreements we enter into with them, in particular through specific contracts detailing their obligations regarding the protection and confidentiality of your personal data (“Data Processing Agreements”). Molotov is in no way responsible for the processing of your personal data carried out by these subcontractors.

This information is vague and non-specific. I have never consented to being tracked by Google, Facebook, Segment, Adjust, Amplitude and Braze. I have certainly not authorized Molotov to send some of these companies my email address, even in hashed form. And sending my email address in plain text to a third party, without my consent or even the slightest information, is a blatant violation of my privacy.