Last week, Apple began requiring iOS developers to justify their use of a specific set of APIs that can be used to fingerprint devices. Yet iGiant doesn’t seem to be doing much to ensure Google, Meta and Spotify comply, it claims.
Device fingerprinting involves collecting information about various device settings and components, then combining them into a single identifier that is likely to be unique and therefore useful for targeting people with ads and other things tailored to their individual interests and circumstances.
There are other forms of fingerprinting, including browser settings, the HTML Canvas element, WebGL, fonts, etc., some of which have legitimate commercial applications, such as bot detection. But digital fingerprints can also be used to breach privacy and track people online.
We found that apps like Google Chrome, Instagram, Spotify, and Threads didn’t stick to their stated reasons
Although Apple allows user tracking if permission is given, it mostly prohibits device-level fingerprinting in iOS, at least in theory. It made this policy official in a recent blog post.
As such, iBiz now requires app developers to provide, among other things, reasons for using any of its designated “required APIs” that can be used for device fingerprinting.
Crucially, the data collected by these fingerprintable interfaces must remain on the user’s device to maximize privacy.
The iPhone maker explains this in its developer documentation. “Some APIs that your app uses to provide its core functionality—in code that you write or include in a third-party SDK—have the potential to be abused to access device signals to try to identify the device or the user, also known as a fingerprint,” Apple’s developer website says. “Regardless of whether a user gives your app permission to track, fingerprinting is not allowed.”
Examples of these fingerprint-friendly APIs include: File Stamp API, System Boot Time API, Disk Space API, Active Keyboard API, and User Defaults API.
Starting May 1, 2024, apps that do not include reasons for using these APIs in the privacy manifest file will not be accepted into the iOS App Store. Previously, Apple simply sent non-compliant developers an email warning.
According to developers Talal Haj Bakry and Tommy Mysk, several major app developers are simply ignoring Apple’s requirements and using APIs that are suitable for tracking without adhering to the rules. Big tech players like Google, Meta and Spotify – the duo claim – provide reasons for this API use, collect this data and then fail to comply with the requirement to store this information on the device.
In other words, Google, Meta and Spotify collect at least some information from these APIs and then send that data to the database against Apple’s rules, he told us.
“To prevent abuse of these APIs, Apple will reject applications that do not describe their use of the API in their privacy manifest file,” the pair explained in an advisory. “However, we’ve found that apps like Google Chrome, Instagram, Spotify and Threads don’t stick to their stated reasons.”
The register asked Google, Meta, and Spotify if they actually use these “must-cause APIs” to fingerprint iOS devices and broadcast that data to backend servers, and we didn’t hear back from the latter two. A Google spokesperson confirmed it was looking into the report, but did not immediately receive a response.
“It’s hard to tell if apps are using the fingerprint information or not,” Mysk said in a statement to The registry. “But Apple has already classified a set of APIs that could potentially be used for fingerprinting. Applications that access such APIs must declare the reasons why they need such access.’
Apple publishes a list of valid reasons for using certain APIs that expose information useful for fingerprints. For example, iOS provides an API called systemUptime that can be queried to provide the time since the device was last rebooted.
Developers who want to use this API can choose from several allowed reasons, one of which must be declared in a manifest file. Google, for example, chose 35F9.1, with italics added by us for emphasis:
Although Apple’s rule clearly states that runtime data cannot be sent outside the device, Google Chrome appears to be doing just that, based on an analysis of network data by Bakry and Mysk. The rule allows for an exception, but one that doesn’t apply to Chrome.
“No, this exception has to do with local use of device runtime to order events for example,” Mysk said The registerexplaining that Google has the option to transmit relative time intervals between two events, but not the absolute number of times the device was up.
Mysk argues that Apple’s APIs for “must reasons,” such as their food privacy labels, constitute privacy theater because there appears to be no enforcement.
“Just like nutrition privacy labels, developers are free to put in whatever they want,” Mysk said.
“Apple doesn’t seem to review whether the description is accurate or not.” Although the nutrition labels are visible to users, the required reason API is not. So it’s unclear how this will prevent fingerprinting and improve user privacy if Apple doesn’t verify the reasons developers present.”
Cupertino did not respond to a request for comment. ®
