en
Español
中國人
Tiếng Việt
Deutsch
Українська
Português
Français
भारतीय
Türkçe
한국인
Italiano
Indonesia
Polski Include Security’s June 2026 research on the Bright Data SDK (see the full write-up at blog.includesecurity.com) looked at whether living-room devices should become commercial proxy infrastructure after a single opt-in consent screen. The research pushed the question of smart TV apps selling data into the mainstream: hundreds of free consumer apps have been quietly turning home devices into residential proxy nodes.
Further reports confirmed that this behavior has been restricted by Google, Amazon, and Roku platforms, while Samsung Tizen and LG webOS remain the focus of unresolved smart TV privacy gaps. The main point of the smart TV apps-selling-data discussion is whether a single screen, navigated with a remote control, should bear the full weight of informed consent.
The Bright Data SDK routes third-party web requests through whichever device is running it.
Include Security directly tested the iOS SDK. After 30 days of traffic capture and a static analysis of the app binary, the conclusion was that an opted-in iPhone can serve as a residential proxy exit node. Extending that case to smart TVs and desktops rests on indirect evidence: Bright Data’s own partner list, the Bright Data SDK’s configuration file, and the Lowpass report (republished by The Verge) on its efforts to develop apps for Samsung and LG smart TVs. On a connected TV app, this means the target site sees your household’s IP address instead of a data center IP, so your TV becomes a smart TV web-scraping proxy.
On a connected TV app, that means the target site sees your household's IP and connection instead of a datacenter IP, so your TV becomes a smart TV web-scraping proxy.
The entire process starts when a user installs a free app that includes the Bright Data SDK as a monetization layer.
After the opt-in, the SDK connects to Bright Data in the background, retrieves configuration, and can receive AI web scraping jobs that run through the user’s home router. Include Security discovered that the iOS SDK called an unauthenticated configuration endpoint that returned feature flags, idle thresholds, bandwidth limits, partner data, and even country tiers.
In the configuration file, relays in Uzbekistan and Oman are allowed to operate with a battery level of 1%, a daily relay cap 20 times the global default, and a monthly cap of 30 GB, which is 60 times the 500 MB default worldwide allowance. None of that country-tier variation is disclosed in the consent screen: the text a user sees is chosen by the app publisher, and Include Security found no examples in which per-country limits or battery thresholds were surfaced to the user.
Those requests were made with the app ID and the SDK version, neither of which is confidential. The Bright Data SDK then opened a persistent WebSocket peer tunnel to proxyjs.brdtnet.com:443. The server assigned a session ID, polled the device for status, and pushed scraping tasks for the SDK to run via the user’s home IP, without any corresponding authorization check on the other end.
The peer channel used TLS, so the issue wasn’t unencrypted traffic. The security gap was that the control flow lacked cryptographic authorization: Include Security found no message signing, HMAC, client certificates, or device attestation around the peer channel.
The most concerning technical finding was the iOS VPN bypass behavior. Include Security observed that the Bright Data SDK bound the peer tunnel to the physical interface (Wi-Fi or cellular) rather than to the default system route.
That behavior made the peer tunnel able to bypass a configured VPN, whereas the regular app HTTPS traffic still went through it. Include Security found the same split running through the whole SDK: the peer channel is one part, and a separate control channel that handles configuration and telemetry runs on networking code that most app-monitoring tools don’t watch. Together, they leave the SDK effectively invisible to both types of inspection.
Smart TVs can offer a more attractive proxy source, as they’re usually plugged in and connected to stable home Wi-Fi, but are less monitored than phones or laptops. Users can see changes in mobile VPNs and how apps drain a phone's battery, while TV background activity often stays invisible.
|
Factor |
Smartphone |
Smart TV |
|---|---|---|
|
Power |
Battery-limited |
Plugged in for long periods |
|
Network |
Moves between Wi-Fi and cellular |
Stable home Wi-Fi |
|
User control |
Easier to inspect apps and VPN status |
Limited background traffic visibility |
|
Consent screen |
Touchscreen reading and scrolling |
Remote-control navigation |
|
Monitoring |
Security tools are more common |
Network inspection is rare |
The issue became more serious once the same proxy-sourcing model appeared in connected TV ecosystems. According to The Verge, Bright Data pitched its SDK to streaming app publishers on Samsung Tizen and LG webOS as an app monetization model, and has published over 200 first-party apps on LG’s app store.
Include Security also saw CTV-focused companies in Bright Data’s public partner list, including PlayWorks Digital, CloudTV, and Longvision. The report says PlayWorks had reach across roughly 250 million TV homes, while CloudTV had integrations across 125+ TV brands and 15+ OEMs.
A partner-manifest entry doesn’t prove every current app from that publisher contains the Bright Data SDK, but it does show the supply-chain route between TV app publishers, monetization SDKs, and residential proxy pools.
The major companies did not respond in the same way to the smart TV apps selling data issue.
Google Play says apps that facilitate proxy services to third parties may only do so when the proxy service is the primary, user-facing core purpose. Amazon’s Device and System Abuse Policy prohibits apps that facilitate proxy services to third parties.
The Verge also reported that Google, Amazon, and Roku have restricted background proxy SDKs, and Bright Data itself confirmed via spokesperson Jennifer Burns that it no longer supports those platforms. The same report also stated that Bright Data still lists Samsung Tizen and LG webOS as supported TV platforms.
That platform enforcement gap became more important after Spur’s 2026 report scanned 6,038 LG webOS and Samsung Tizen apps and found residential proxy SDK smart TV apps in 2,058 of them. 42.5% of LG webOS apps and 26.9% of Samsung Tizen apps, including 367 tied to Bright Data-related entities.
For users, this raises a practical privacy concern about LG and Samsung smart TVs selling data, and since these platforms’ controls are inconsistent, router-level blocking and app removal are the most realistic user-side controls.
LG and Samsung have not published any policy on these SDKs, and neither company has issued a public response to the findings.
For users, the real LG privacy policy check is done at the app-level, not just the platform level. You should review the privacy policies, EULAs, and consent screens for all your free apps to see if they mention sharing your bandwidth, unused resources, proxy services, or third-party network access.
Bright Data, previously known as Luminati Networks, publicly changed its name in 2018. The earlier name is tied to the 2015 Hola VPN controversy, where Luminati sold Hola users’ bandwidth without their knowledge. Today, the Bright Data SDK model runs through an explicit opt-in screen and a compliance review before a partner app can ship it.
Currently, Bright Data’s residential network gives access to over 400 million residential IPs across 195+ countries, routed through real devices whose owners have explicitly opted in. Include Security and The Hacker News have both reported that over 150M IPs are sourced through a consent SDK embedded in partner apps, presumably including those on smart TVs.
The main point is that none of this makes residential proxies unsafe. The difference comes down to the provider’s sourcing, documentation, customer vetting, and abuse prevention.
Proxy-Seller is a proxy infrastructure provider that offers residential, ISP, datacenter, and mobile proxies, where each residential IP is assigned by an internet service provider to a real device: that’s what makes sourcing transparency possible to document in the first place.
Choosing between residential proxy providers? Sourcing transparency is a fair first question to ask. Our team can walk you through how Proxy-Seller's residential proxies work for your use case. Talk to our team.
Bright Data’s public position is that the Bright Data SDK is fully consent-based and doesn’t collect, store, or share personal data, operating exclusively through approved partner apps: the Bright Data ethical sourcing residential proxies claim researchers are now examining alongside actual SDK behavior. The Bright Data privacy policy also states that app users must explicitly agree to join the network through a dedicated consent screen.
Bright Data’s response to the report, issued on June 17 by PR Lead Jennifer Burns, points to three concrete backers for that position:
In the same June 17 statement, Jennifer Burns acknowledged that the iOS VPN bypass identified by Include Security is a bug and has been fixed. Bright Data has kept the same monetization model live on Samsung Tizen and LG webOS.
Bright Data’s stated position addresses these concerns at the policy level. Researchers focused on how the SDK behaves in practice and how that compares with what users are actually told.
Include Security cited Petflix, a Roku app, as an example of this consent gap. Its Bright Data prompt stated that the app could stay free with fewer ads if users consented to Bright Data “occasionally” using free device resources and their IP address to download public web data. However, the reviewed SDK configuration allowed up to 200 GB of Wi-Fi traffic monthly.
The same configuration adds two more layers to the disparity. The idle rules contain flags called ignore_screen_on and ignore_on_call so that the device is considered available for relaying even if the user is watching the screen or on a call. The config also links installs across platforms into a single profile: the documented dual_pairing map ties an iOS, Windows, and macOS install of the same publisher’s apps into one tracked identity.
That’s where dark patterns become central in the discussion: hidden clauses and interface or wording choices that steer users toward consent without fully clarifying the trade-offs. Even more so when the user reads privacy terms and the end-user license agreement (EULA) through a remote-control interface.
The main concern for users revolves around smart TV apps IP address exposure: a third-party job running on their TV, phone, or computer means the target site sees the household connection as the source. Automated traffic could cause IP reputation blacklist, increase CAPTCHA requests, and trigger blocks for the household network.
Some of the other major concerns of smart TV apps selling data include:
These risks don’t mean that every request made through an SDK is considered malicious. However, it does mean that users are likely to inherit the reputation and traceability issues of others.
Users can use DNS blocking along with a basic app audit to reduce exposure. This is especially important for smart TVs, as the interface provides a poor way to review recurring network activity, consent state, or potential privacy policy violations.
Make sure to block these domains first:
Include Security states that blocking proxyjs.* will eliminate the peer tunnel while keeping Bright Data’s customer-facing proxy service intact on separate domains. DNS blocking is useful but doesn’t provide long-lasting safety: SDK operators can change hostnames, platforms can patch loopholes, and apps can push updates. It’s good practice for users to remove any apps they don’t fully trust.
A transparent residential proxy network should clearly outline the IP sources, user consent model, permissible traffic types, and abuse prevention measures before a customer ever sends production traffic through the network.
A residential proxy network can serve as legitimate access infrastructure when careful sourcing, obtaining consent, imposing traffic limits, customer vetting, and abuse controls are well documented. Companies that purchase residential proxies should therefore look beyond price and pool size and consider sourcing documentation, authentication, and the provider's ability to clearly explain where the traffic originates.
In light of today's Bright Data news about smart TV apps selling data, teams comparing Bright Data alternatives should prioritize transparency as the most important evaluation metric.
Need residential proxies for your next project? Proxy-Seller offers residential proxies across 220+ locations, with plans from 1.3/GB that fit both quick pilots and steady workloads. See residential proxies.
Include Security’s research revealed how app monetization can turn into a household network risk when the Bright Data SDK runs with minimal user visibility. Users should evaluate their smart TV apps, remove any they don’t trust, and block the known Bright SDK domains at the router level. Businesses should treat this smart TV app data-selling incident as a lesson in vendor sourcing: speed and IP volume don’t replace transparent consent, routing, and partner vetting.
The Bright Data SDK is an app monetization SDK that allows opted-in devices to participate in Bright Data’s residential proxy network. Luminati Networks (formerly Bright Data) had prior compliance issues with Hola VPN. Bright Data claims the model is consent-based and does not collect end-user data. Security experts focused on whether users fully understand that their device and IP address may relay third-party AI web-scraping traffic.
The app that uses the Bright Data SDK displays an opt-in message. From there, the SDK retrieves configuration and opens a peer-to-peer tunnel to the Bright Data infrastructure. If the Smart TV meets the eligibility criteria, it can receive web request jobs from the server. Smart TVs perform these tasks via their home internet connection, so the target site sees the user’s residential IP.
There’s no universal answer because the legality of each case depends on the jurisdiction, consent wording, app store rules, privacy and data processing statements, and actual traffic behavior. A better, more practical question is whether the user has clear, specific, revocable control that is easy to administer. If the consent is vague, hard to find, or hard to manage, the legal and compliance risk grows.
It is reported that Google, Amazon, and Roku restricted SDKs that enable background proxy behavior. Google Play limits third-party proxy services to apps where the proxy service is the app's main user-facing purpose, while Amazon prohibits apps that facilitate proxy services to third parties. Samsung Tizen and LG webOS remain the main smart TV ecosystems discussed in current reporting.
Use router-level DNS filtering through Pi-hole, NextDNS, Cloudflare Gateway, or your router’s built-in denylist. Block: proxyjs.brdtnet.com, proxyjs.luminatinet.com, proxyjs.bright-sdk.com, clientsdk.bright-sdk.com, and clientsdk.brdtnet.com. Then restart the TV and check your DNS logs. This will reduce the peer traffic iterated by the Bright SDK, but app removal is still recommended.
Comments: 0