Bytedance’s Pangle SDK Encryption Cracked as Duolingo’s Team Gains Access

The breach was uncovered through a systematic sweep of mobile traffic that logged more than 38,000 requests from over 40 high‑profile apps to ByteDance’s Pangle endpoint api16‑access‑ttp.tiktokpangle.us, according to Buchodi’s March 4 2026 report. The dataset spans categories from language learning (Duolingo, HelloTalk) to social media (BeReal), AI chat (Character.AI), and a slew of casual games, demonstrating that the Pangle advertising SDK is embedded far more broadly than most users realize. Each request carries a payload marked “cypher: 3,” a custom encryption label that ByteDance advertises as protecting the transmitted telemetry.

Buchodi reverse‑engineered the SDK by downloading version 6.5.1.2 from ByteDance’s Maven repository (artifact.bytedance.com) and dissecting its native libraries and Java classes. The analysis revealed four native components—libtobEmbedPagEncrypt.so (8 KB), libpglarmor.so (61 KB), libnms.so (281 KB), and libtt_ugen_layout.so (ad layout engine)—and a set of decompiled Java files that orchestrate the encryption pipeline. The critical path for cypher: 3 is implemented in libtobEmbedPagEncrypt.so and invoked through PangleEncryptUtils.java, while the obfuscated class aT.java contains the actual cryptographic routine.

The routine’s design is fundamentally flawed. As Buchodi details, the SDK generates a random 32‑character AES‑256 key and a 16‑character IV for each message, encrypts the plaintext with AES‑256‑CBC and PKCS5 padding, then concatenates the version byte, a “shuffled” copy of the key, the IV, and the Base64‑encoded ciphertext. The final string begins with “3” followed by the 32‑character shuffled key, the 16‑character IV, and the ciphertext. Because the key and IV are embedded verbatim in the payload, any observer can recover them by extracting characters 1‑32 (re‑ordering the halves) and 33‑48, respectively, and then decrypt the ciphertext. Buchodi likens this to “locking your front door and taping the key to the doorframe,” noting that the scheme offers only superficial obfuscation, not genuine confidentiality.

The practical impact is that apps using Pangle—Duolingo among them—are transmitting granular device data, including battery level, storage capacity, and internal IP address, in a format that can be trivially decrypted by anyone intercepting the traffic. Buchodi’s traffic capture shows the plaintext fields before encryption, confirming that the telemetry is not anonymized or aggregated. Because the same SDK version is used across the surveyed apps, the vulnerability is systemic, exposing a wide swath of user devices to potential profiling or targeted advertising without meaningful user consent.

ByteDance has not issued a public response to the findings, and no patch for the flawed encryption has been announced. The SDK’s open distribution via Maven means that developers can replace the vulnerable version, but many apps have not updated since the 6.5.1.2 release. Until a remedial version is pushed, the onus remains on app maintainers to audit their third‑party dependencies and consider alternative ad frameworks that employ industry‑standard end‑to‑end encryption.