Some popular iPhone apps are using some sneaky techniques to uniquely identify you, even if you refused permission for app tracking. The data they are gathering includes everything from your iPhone’s Last Restart Time to your screen brightness setting measured to 15 significant digits.

A former iCloud engineer says that this type of privacy workaround makes Apple’s App Tracking Transparency rules a “dud” …

App Tracking

App Tracking works by Apple assigning a unique identifier to your device. It doesn’t reveal any details about you, but does allow them to see (for example) that iOS user 30255BCE-4CDA-4F62-91DC-4758FDFF8512 has visited gadget websites, and therefore would be a good target for gadget ads. It also allows them to see that iOS user 30255BCE-4CDA-4F62-91DC-4758FDFF8512 was shown an ad for a particular product on a particular website, then subsequently went to a particular retailer site to buy it – therefore that ad was (likely) successful.

With App Tracking Transparency, app developers must ask you if you want to allow that tracking. If you say no (as most people do), then the apps are not allowed to use that system.

Device fingerprinting

The ad industry was concerned, but quickly decided that there were workarounds to this. Specifically, particular types of device fingerprinting.

Whenever you visit a website, your browser hands over a bunch of data intended to ensure that the site displays correctly on your device. A website needs to display itself very differently on an iMac and an iPhone, for example. As time has gone on, and websites have become more sophisticated, the amount of data your browser hands over has grown […]

Want to see if your device can be uniquely identified? Go to this website or this one and run the test. If you’re worried about doing this, bear in mind that any website can do the same thing – the only difference with these sites is they are showing you your data. But if it makes you feel more comfortable, amiunique.org makes its source code available, and Panopticlick is run by the EFF.

Apple responded by saying, nope, you can’t do that either. If the user says no to tracking, you can’t use any method to do it. But some popular apps are breaking the rules.

The Washington Post reports that an analysis of a number of popular iPhone apps found that they were sending a crazy amount of data about your device to an ad company. It seems pretty obvious that the specificity of this data is designed to fingerprint your device.

Say you open the app Subway Surfers, listed as one of the App Store’s “must-play” games. It asks if you’re OK with the app “tracking” you, a question iPhones started displaying in April as part of a privacy crackdown by Apple. Saying no is supposed to stop apps such as Subway Surfers and Facebook from learning about what you do in other apps and websites.

But something curious happens after you ask not to be tracked, according to an investigation by researchers at privacy software maker Lockdown and The Washington Post. Subway Surfers starts sending an outside ad company called Chartboost 29 very specific data points about your iPhone, including your Internet address, your free storage, your current volume level (to 3 decimal points) and even your battery level (to 15 decimal points). It’s the kind of unique data that could be used by advertisers to identify your iPhone, possibly letting them know what other apps you use or how to target you […]

We found at least three popular iPhone games share a substantial amount of identifying information with ad companies, even after being asked not to track.

While Apple says this isn’t allowed, the WP said that it notified the iPhone maker of the specific apps and the data they were leaking, several weeks ago – but no action has been taken. A former Apple engineer says this makes the rules useless.

When it comes to stopping third-party trackers, App Tracking Transparency is a dud. Worse, giving users the option to tap an ‘Ask App Not To Track’ button may even give users a false sense of privacy,” said Lockdown co-founder Johnny Lin, a former Apple iCloud engineer.

The paper says that none of the app developers concerned were able to explain why they were collecting all this data and sending it to ad companies.

“In order for the game to function properly, some data is communicated to Ad Networks,” emailed Sybo, the company that makes Subway Surfers. “As a company, we do not track users for advertising purposes without their consent.” It didn’t specify why it needed to send so much personal information to ad companies to function properly.

Some of the data, like current battery levels and volume settings, would only identify your device in the moment, but more persistent data could be combined to create a permanent digital signature.

Photo: Sandro Kradolfer/Unsplash

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear