I’ve recently been working on scraping the app api for instagram for a project, and I’m surprised at the amount of data it sends that it shouldn’t need. I knew it did a lot of tracking already, but after looking at what it sends, I am never installing that app outside of an emulator.

When you login it sends:

• How many sim cards you have installed
• Whether you have whatsapp installed
• whether you gave permission for: call logs, contacts, answer phone calls
• Timestamps for when you opened the app and when you clicked any component.

On most requests, it sends:

• Your connection type (WIFI/mobile data)
• Your connection speed
• Whether google play attestation is working
• If your phone is foldable or not
• Whether you have dark or light theme enabled
• What device you are running instagram on
• The components you clicked on to navigate to whatever page you are on, as well as timestamps for when you clicked them.

When loading your timeline, they payload contains:

• Whether instagram has permission for your camera
• Your battery level
• Whether your phone is charging
• The time you opened the app at.
• Whether you used pull to refresh to load your feed.
• Your volume level
• Your timezone offset.

For every useful request it sends about 2 to /logging_client_events, which has a binary, encoded as base64 payload.