Apple bypasses tracking protection in its own apps

iPhone users can prohibit iOS apps from tracking them. This protection should actually also apply to apps from Apple itself. However, security researchers have now found that the company continues to track user data.

Starting with iOS 14.5, Apple offers a feature that allows users to refuse tracking requests from apps. With App Tracking Transparency (ATT), users can ensure that data from apps is not passed on to third parties and used for advertising on Apple devices. Apps are thus actively restricted in their tracking activities. This is to improve user privacy. The app developers and marketers had strong concerns when the feature was introduced. However, most apps are now ATT-compliant. But does the function give users a false sense of security?

Verification shows app tracking by Apple

Two independent security researchers have made it public that Apple collects data about its users. Even if they set to prevent “tracking activities of an app via companies, apps and websites”. To do this, the researchers checked the data traffic of some Apple apps on the iPhone. They found that privacy settings have no apparent impact on tracking in iOS. Apple’s own apps such as the App Store, Apple Music, Apple TV, Books and the Stocks app continued to diligently collect data.

This is where you will find content from Twitter

In order to interact with or display content from social networks, we need your consent.

Twitter post by software company Mysk

Every tap of a finger was registered in the App Store and forwarded to Apple, even though data transfer for apps was deactivated. Above all, Apple seems to be interested in what apps users are looking for and exactly how they use the apps.

Also read: Apple reveals the best tricks for the iPhone

Collection of accurate tracking data

What is interesting is that Apple collected the tracking data from the App Store in real time. The company thus knows how long a user looks at an app, how he searches for it and which advertisements he sees. The app also collects details about the device. The device ID is saved for this purpose. The tech giant is also interested in which smartphone model and screen resolution it is. There is also data about the keyboard language and the type of Internet connection.

Apple, for example, also tracks the list of watched stocks in the stocks app and which company shares a user is primarily looking for. According to the security researchers, open news articles in the app are also part of the data analysis. In addition, when tracking in the stock app, Apple creates a time stamp at which time the activities took place.

This means that exactly the data is available with which precise device tracking is possible. Because most apps sent analysis data with the same ID. This enables Apple to network data across services. Security researchers Mysk said speaking to online magazine gizmodothe “[a]All possible options for personalized advertising, personalized recommendations and the sharing of usage data and analysis were switched off”. However, Apple excludes some apps from tracking. The Apple apps Health and Wallet therefore do not transmit any analysis data, regardless of whether the analysis data was switched on or off on the iPhone.

How does Apple deal with data protection?

The question arises whether the privacy settings do not live up to their promises. The researchers only tested the function in iOS 14.6. The App Tracking Transparency (ATT) can also be found in the current iOS 16.

In iOS there is a setting to automatically reject tracking.
Photo: TECHBOOK screenshot via iOS 15.6

According to the description, when activities are recorded on other companies’ apps and websites, permission is automatically denied. The ID for tracking the activities is therefore also revoked. However, in an April 2022 whitepaper on the ATT, Apple explains exactly what activity tracking means. The company divides activity tracking data into two categories:

  • First Party Data: This is data generated by a company about the activities of consumers online or offline.
  • Third Party Data: This is data about consumer activity that is only available because it was shared across organizations, purchased, or linked across organizations by third parties.

With ATT, it is necessary for apps to ask users for permission, for example if they want to integrate third-party code into the app. Sharing device location, email lists, or advertising IDs with a data vendor without permission is also prohibited.

But all this does not apply to first-party data! As the Apple white paper explains:

“ATT does not limit the ability of iOS apps to collect or use first-party data. ATT only applies to third-party data and does not affect the use of first-party data. ATT in no way prohibits companies from collecting first-party data, even if users refuse permission to be tracked.”

MOBILE ADVERTISING AND THE IMPACT OF APPLE’S APP TRACKING TRANSPARENCY POLICY • KINSHUK JERATH.

Thus, it is clear that apps installed on the phone continue to collect data. While a company can’t share these with a third party or ad network without permission, it can still use them for itself. This leaves large companies like Apple with many options for processing this data. The findings of the two security researchers should therefore also apply to later iOS versions.

Source:

Apple: Mobile Advertising and the Impact of Apple’s App Tracking Transparency Policy (accessed on November 10, 2022)

ttn-35