A blackbox privacy audit of the Filimo Android streaming application, covering both the mobile build (App v4.19 / v40312121) and the TV build (v2.18.0 / v40311231), has identified critical vulnerabilities in how the platform handles user credentials, transmits device data, and integrates location tracking infrastructure. The audit was conducted over a three-day timeframe in June 2025 by a team of three senior auditors through reverse engineering of APKs sourced from Myket and CafeBazaar, without access to source code, documentation, or test accounts. No backdoors or remote code execution capabilities were detected. What was found, however, is a platform that stores authentication credentials in plaintext, transmits detailed device fingerprints to analytics servers across five global regions, and embeds a fully operational location surveillance infrastructure — all while operating within Iran's legal jurisdiction, where the state maintains expansive authority over domestic technology companies and their data, unchecked by any independent data protection body.

Filimo is one of Iran's most prominent video streaming services. A streaming platform inherently collects sensitive behavioral data — viewing habits, session timing, content preferences, and device usage patterns — that can reveal a great deal about a user's interests, beliefs, and daily routines. The security with which this data is handled is therefore not just a technical question but a civil liberties question, particularly in a country where the consumption of certain content can itself become grounds for state scrutiny.

Plaintext Credentials: Account Takeover Made Trivial

The most immediately critical finding concerns how Filimo stores user authentication data. On the mobile build, JWT tokens, authentication tokens, usernames, email addresses, phone numbers, and user identifiers are all stored in plaintext within SharedPreferences files, specifically UserManager.xml. The TV build follows the same pattern, storing account and profile JWTs alongside login state in its own preferences file without encryption or access controls. On any rooted device, any device with USB debugging enabled, or any device where another application has elevated privileges, the full set of user credentials can be extracted trivially. The data may also leak through Android backup mechanisms.

In Iran's device ecosystem, this vulnerability is especially acute. Users frequently install applications from domestic app stores with less rigorous security vetting, increasing the probability that a co-installed application could access these plaintext files. Moreover, the storage of phone numbers alongside authentication tokens creates a direct link between a user's Filimo account and their real-world identity — a link that, in a jurisdiction where telecommunications companies are required to register SIM cards against national identity documents, effectively strips away any residual anonymity a user might assume they have when using the service.

Global Analytics Transmission: Data Beyond Iran's Borders, and Within Them

Filimo transmits a comprehensive set of device and session metadata to Adtrace analytics servers across region-specific endpoints spanning the European Union, the United States, India, China, and Turkey. The data payload includes GPS advertising identifiers, Android UUIDs, device fingerprinting attributes (manufacturer, model, OS version, CPU architecture, screen properties), mobile carrier identifiers (MCC/MNC), push notification tokens, and session-level metadata. Adtrace itself is an Iranian-origin mobile analytics and attribution platform. While the data is routed through globally distributed endpoints, the company's operational base and its exposure to Iranian legal obligations raise questions about how this data might be accessed or compelled.

The breadth of the data transmitted is disproportionate to what a streaming application requires. Persistent device identifiers and carrier codes enable cross-context user correlation and re-identification. When this telemetry is combined with the plaintext credential storage described above — which includes phone numbers tied to national identity systems — the result is a data environment in which Filimo users are not merely being tracked for analytics purposes but are generating a comprehensive behavioral and identity profile that exists across multiple jurisdictions, anchored by identifiers that map directly to their legal identity within Iran.

Embedded Location Surveillance: Infrastructure Waiting to Be Activated

The mobile build integrates the WebEngage SDK with full location tracking capabilities, including FusedLocationApi for passive location retrieval, geofence registration configured with infinite expiration, and periodic background location updates triggered via PendingIntent. While no outbound location data was observed during the testing window, the infrastructure is fully operational and capable of silent background location monitoring whenever permissions are granted. The presence of geofencing with no expiration limit enables indefinite spatial monitoring without any visible indicator or ongoing consent mechanism.

For a video streaming application, the inclusion of location surveillance capabilities demands justification that the application's visible functionality does not provide. In Iran, where the state has used location data to track protest participants, monitor the movements of journalists, and map the social networks of activists, the mere presence of this infrastructure — even if not currently active in data transmission — represents a latent capability that could be activated through a server-side configuration change without any update to the application itself. Users who granted location permission at install would have no indication that their movements had begun to be tracked.

External APK References and Supply Chain Integrity

The TV build contains hardcoded URLs referencing external APK files hosted on the third-party domain farsroid.com, including links to unrelated applications. While not observed to execute during testing, these references introduce a supply chain integrity risk. In an ecosystem where app distribution already operates outside the security guarantees of major international platforms, the embedding of references to third-party APKs from domains outside the developer's control creates an additional vector through which unverified code could be introduced to users' devices.

Recommendations for Users

Users of Filimo should revoke microphone, location, and storage permissions through device settings. Location access should be denied entirely given the embedded surveillance infrastructure. Users should be aware that their authentication credentials, including phone numbers linked to their national identity, are stored in plaintext and should avoid using Filimo on rooted devices or those with USB debugging enabled. Periodically clearing app data removes stored plaintext credentials, and disabling Android backups prevents credential leakage through backup channels. Network-level ad blocking can reduce the volume of device fingerprinting data transmitted to Adtrace's endpoints. Users should also understand that Filimo's privacy weaknesses are not isolated technical failures but reflect a broader pattern in Iran's domestic app ecosystem, where applications routinely collect more data than their functionality requires and store it with protections that would not withstand scrutiny from either a determined attacker or a state actor with legal authority to compel access. The developers have been contacted with detailed remediation recommendations.