Despite Apple’s ATT, your iOS App may be Tracking You

In 2021, Apple enacted the App Tracking Transparency policy, preventing app creators from tracking activities of users across other apps without first obtaining their permission. The policy was highly praised by privacy advocates, though it was also warned that it could spiral down to an end of companies relying on targeted advertising. However, recent research has shown that ATT (as it’s commonly called) is not that effective in preventing the collection of users’ personal data.

The basic principle of ATT is that when installing an app, the user must click ‘Allow’ for the app to track activity across other companies’ apps and websites. Without this, the app would be unable to access the Identifier for Advertisers (IDFA), a special identifier iOS or iPadOS. In addition to this, Apple created the requirement that app creators provide ‘privacy nutrition labels’ which declares the types of device and user data they collect, and how that data would be used.

Research that turned up last week discovered that loopholes in the ATT framework provided large companies like Facebook and Google the opportunity to go around the protections and collect even more data.

‘Overall, our observations suggest that, while Apple’s changes make tracking individual users more difficult, they motivate a counter-movement, and reinforce existing market power of gatekeeper companies with access to large troves of first-party data,’ the researchers wrote. ‘Making the privacy properties of apps transparent through large-scale analysis remains a difficult target for independent researchers, and a key obstacle to meaningful, accountable and verifiable privacy protections.’

The researchers identified about nine iOS apps making use of a server-side code to generate mutual user identifier which Chinese tech company, Alibaba could use for cross-app tracking. ‘The sharing of device information for purposes of fingerprinting would be in violation of Apple’s policies, which do not allow developers to “derive data from a device for the purpose of uniquely identifying it,”’ the researchers wrote.

The researchers also noted that Apple itself isn’t required to follow the ATT policy in many cases, allowing them to collect more data. Apple exempts tracking for purposes of ‘obtaining information on a consumer’s creditworthiness for the specific purpose of making a credit determination.’

1,685 apps published before and after ATT was enacted were compared, and the amount of tracking libraries remained mostly the same. The most commonly used libraries— Apple’s SKAdnetwork, Google Crashlytics, Google Firebase Analytics— remained the same. About a quarter of these apps claimed they didn’t collect users’ personal data, but 80% of them had at least one library.

Despite its shortcomings, ATT has its uses. The best way to enforce ATT is to go to the iOS settings > Privacy > Tracking and turn off ‘Allow Apps to Request to track’.

By Marvellous Iwendi.

Source: Arstechnica