Privacy Investigation: Wordle Clone Apps

Copycat Wordle apps have amassed millions of installs in mere weeks. We analyzed the network traffic initiated by the ten most popular clone apps and found they often allow advertisers to slurp significant user data.
Wordle clone apps privacy risks research: network traffic analysis screenshot
Simon Migliano

Wordle Apps Traffic Analysis

We analyzed the network traffic initiated by the 5 most popular Wordle clone apps on iOS and on Android. These 10 copycat apps have been downloaded an estimated 11.5 million times since the start of 2022.

  • IP address sharing: 80% of the mobile apps tested allow at least one third-party to collect your IP address.
  • Device fingerprinting: Every app we tested allows at least one third party to fingerprint your device.
  • Baidu: One app shares data with Chinese internet search giant Baidu.
  • High network traffic: The most popular Wordle clone makes as many as 570 server requests in just four minutes.
  • Two iOS apps fail to ask the required permission to allow advertisers to track you across websites.

Privacy Risks of Wordle Clones

Wordle, the free, simple yet addictive word-guessing game originally created by Josh Wardle for his wife during lockdown and recently sold to the New York Times for a seven-figure sum, has been the viral sensation of 2022 so far.

Unfortunately, this incredible surge in popularity has led to a rise in copycat apps in Apple and Google’s app stores, hoping to cash in on the Wordle phenomenon.

Results in Google Play Store for searches on the term Wordle

Results in Google Play Store for searches on the term Wordle.

There are a number of factors that have enabled this rise in clones:

  • Wordle is browser-based, so there is no official mobile app
  • There is at least one unofficial app also called Wordle in each app store
  • The official Wordle game is limited by design to one puzzle a day. The clones typically offer an endless stream of words to guess for those fans with a larger appetite for guessing five-letter words.
  • Prior to its sale to the NYT, Wordle was unmonetized and completely ad-free

The copycats are incredibly popular. By our estimates, the ten biggest of these apps have been downloaded 11.5 million times since the start of the year.

The single most popular clone app, also called Wordle, has been installed an estimated 5.7 million times.

The official Wordle game on the NYT website reportedly has over 300,000 daily users.

We decided to perform a technical analysis of these mobile apps as they appeared to be quick cash-ins, hoping to jump on the bandwagon and make as much money as they can before interest wanes.

Our concern was that many fans of the official version of Wordle might not realize the extent to which they were opening themselves up to invasive tracking and of the degree of data sharing taking place.

Our goal with this research is to raise awareness of how such mobile apps profit from intruding on their users’ privacy and thus allow consumers to make an educated choice about whether it’s worth installing and using such apps.

It is possible to counteract at least some of this kind of activity by using third-party ad blockers. Some leading VPN services, including NordVPN, have also launched tools that can be effective in blocking trackers.

Network Traffic Analysis Findings

The following tables are a summary of our analysis of the network traffic initiated by each Wordle-clone app.

Apple guidelines require iOS apps to ask users to consent to ad tracking. This is not a choice offered by Android apps. The first table therefore comprises the results of analysis performed after this consent was declined in the iOS apps. The second table shows the results of a second analysis for iOS apps only, where consent for ad tracking was given.

The Est. Total Installs figures for iOS apps are calculated from monthly download figures. For Android, installs are as reported by Google in the Play Store.

The Trackers columns identify third-parties in receipt of any kind of user tracking data.

The IP Address Trackers columns identify third-parties in receipt of a user’s IP address.

The Device Fingerprinting columns identify third-parties in receipt of sufficiently-detailed device telemetry to uniquely identify users.

For archived versions of store listings, app IDs and APK names, see this data sheet.

Initial Analysis: All Apps

Note: iOS apps explicitly seek consent for ad tracking with the option to decline presented most prominently. We therefore considered declined consent to be the implicit default behavior in iOS apps and thus the most suitable state for initial testing. Android apps do not offer the user such an option.

Additional Analysis: iOS Apps

Note: We performed additional network traffic testing and analysis on the iOS apps after consent for ad tracking was granted. The findings are detailed below. This was not necessary for Android apps.

Network Traffic Analysis Highlights

Aggressive Tracking

The Wordle! app on iOS[1], which has a colossal 5.7 million estimated installs, was by the far the most aggressive in terms of tracking technology stuffed into such an otherwise simple app. This software phones home at least once per second even when consent for ad tracking is denied. The rate of server requests increases to more than double that if tracking consent is granted.

Wordus, also on iOS and with 1.5 million estimated installs, was almost as aggressive. The app makes over 70 server requests per minute, regardless of whether consent is given for ad tracking.

It’s perhaps no coincidence that the two most popular apps are the most stuffed with trackers.

IP Address Collection

As many as eight in 10 of the apps we tested allow third parties to slurp your IP address.

Most commonly this was collected by Google, but we found that Facebook and Applovin also slurped this personal data point.

Mitmproxy screencap of IP address collection by Facebook in the Wordus iOS app

Mitmproxy screencap of IP address collection by Facebook in the Wordus iOS app.

While IP addresses aren’t unique to individual devices, they remain valuable to marketers as they allow for more specific geographic targeting of ads.[2] As noted in the table above, this is far from the only data point being collected. It’s also possible to identify you by cross-referencing your IP address with other datasets.

One app, Word Guess on iOS, behaved unexpectedly in that it only collected users’ IP address when consent to track was denied. We did not find evidence of IP address collection when consent was granted.

Fingerprinting

Device fingerprinting is the method of identifying individuals from detailed device telemetry, where each data point is non-personal on its own but aggregated forms a unique “fingerprint”.[3]

Mitmproxy screencap of device fingerprinting on the Wordle! iOS app

Mitmproxy screencap of device fingerprinting on the Wordle! iOS app.

In the above screencap you can see a server request made by the Wordle! iOS app to the Vungle ad tech platform that shares details about our test device:

  • Cellphone carrier
  • Battery level
  • Battery saver status
  • Advertising ID
  • Device language and locale
  • Device storage available
  • Time zone
  • Device make and model
  • OS version
  • Is the device charging
  • Volume level
  • Is the device connected to WiFi
  • Screen height and width

Every app we tested made server requests to at least one third party containing some combination of this kind of device data.

Baidu

One app we tested, Word Challenge on Android, made server requests to the Chinese search giant Baidu, which then dropped tracking cookies on the device.

Mitmproxy screencap of server requests made to Baidu by Word Challenge Android app

Mitmproxy screencap of server requests made to Baidu by Word Challenge Android app.

Failures to Request To Track

As part of App Tracking Transparency, iOS apps are required to ask users whether they are prepared to “allow [app name] to track your activity across other companies’ apps and websites?”

Two apps failed to make such a request:

  • PuzzWord
  • Wordful

Trackers

The following table comprises an alphabetized list of every third-party tracker we found in the Wordle clone apps we tested, along with a brief description of the primary business activity of that third-party.

Methodology

Based on a search for the term “Wordle”, we selected the five apps with the highest number of installs for network traffic analysis in both Apple’s App Store and the Google Play Store.

Install numbers for Android apps were taken from their listings. For iOS apps, we took January’s monthly installs from SensorTower and extrapolated February installs based on a consistent run-rate to calculate an estimated total. This is likely to be conservative as Wordle was increasingly viral throughout February.

We analyzed network traffic using mitmproxy, an open source tool, in a clean testing environment using dedicated iOS and Android testing devices. We captured all app-initiated network traffic upon first starting each app and playing several games.

For iOS apps we captured traffic over two sessions. One where we granted consent for sharing data with advertisers and one where we declined that consent, if the choice was offered.

For archived versions of store listings, app IDs and APK names, see this data sheet.

The authors of all our investigations abide by the journalists’ code of conduct.

References

[1] https://web.archive.org/web/20220228182152/https://apps.apple.com/US/app/id1095569891?l=en

[2] https://web.archive.org/web/20220301082023/https://www.accudata.com/blog/ip-targeting/

[3] https://web.archive.org/web/20220225183500/https://blog.admixer.com/device-fingerprinting/