Meta, Spotify break Apple's device fingerprinting rules – new claim
And the iOS titan doesn't seem that bothered with data leaking out
Updated Last week, Apple began requiring iOS developers justify the use of a specific set of APIs that could be used for device fingerprinting.
Yet the iGiant doesn't appear to be making much effort to ensure that the likes of Meta and Spotify comply with the rules, it's claimed.
Google was also accused of breaking Cupertino's rules, though the web giant insists it's not doing anything wrong; see the update below.
What's the issue?
Device fingerprinting involves collecting information about various device settings and components, then combining those into a single identifier that's likely to be unique and thus useful for targeting people with ads and other stuff tailored to their individual interests and circumstances.
There are other forms of fingerprinting involving browser settings, the HTML Canvas element, WebGL, fonts, and so on, some of which have legitimate commercial applications, such as bot detection. But digital fingerprinting can also be used to violate privacy and track people online.
We found out that apps such as Google Chrome, Instagram, Spotify, and Threads don’t adhere to their declared reasons
While Apple allows user tracking if permission has been granted, it mostly forbids device-level fingerprinting on iOS, at least in theory. It made that policy official in a recent blog post.
As such the iBiz now requires app developers to supply among other things reasons for using any of its designated "required reason APIs" that can be used for device fingerprinting.
Crucially, data collected from these interfaces, which could be used for fingerprinting, must stay on the user's device to maximize privacy.
The iPhone maker explains as much in its developer documentation. "Some APIs that your app uses to deliver its core functionality — in code you write or included in a third-party SDK — have the potential of being misused to access device signals to try to identify the device or user, also known as fingerprinting," the Apple's developer website states. "Regardless of whether a user gives your app permission to track, fingerprinting is not allowed."
Examples of these fingerprint-friendly APIs include: File timestamp APIs, System boot time APIs, Disk space APIs, Active keyboard APIs, and User defaults APIs.
As of May 1, 2024, apps that fail to include reasons for using these APIs in their privacy manifest file won't be accepted in the iOS App Store. Previously, Apple just sent non-compliant developers an email warning.
According to developers Talal Haj Bakry and Tommy Mysk, several major app makers are simply ignoring Apple's requirements, and using tracker-happy APIs without sticking to the rules. Big Tech players like Google, Meta, and Spotify - the duo claim - are providing reasons for this API usage, collecting that data, and then not abiding by the requirement to keep that information on the device.
In other words, Google, Meta, and Spotify are all collecting at least some info from these APIs and then sending that data off-device seemingly against Apple's rules, we're told.
"To prevent misuse of these APIs, Apple will reject apps that don’t describe their use of the APIs in their privacy manifest file," the pair explain in an advisory. "However, we found out that apps such as Google Chrome, Instagram, Spotify, and Threads don’t adhere to their declared reasons."
- Apple demands app makers explain use of sensitive APIs
- Online tracking is alive and well in link decoration
- Apple iOS privacy clampdown 'did little' to reduce tracking
- What do iOS and Android have in common? Their apps suck at privacy, boffins say
The Register asked Google, Meta, and Spotify whether they are in fact using these "required reason APIs" for iOS device fingerprinting and beaming that data off to backend servers, and we've not heard back from the last two. A Google spokesperson confirmed it is looking into the report, but didn't immediately have a response.
"It's hard to tell if the apps are using the information for fingerprinting or not," said Mysk in a message to The Register. "But Apple already classified a set of APIs that can potentially be used for fingerprinting. Apps accessing such APIs must declare the reasons why they need such access."
Apple has published a list of valid reasons for using certain APIs that reveal information useful for fingerprinting. For example, iOS provides an API called systemUptime that can be queried to provide the time elapsed since the device was last restarted.
Developers who want to use this API can select from several allowed reasons, one which must be declared in a manifest file. Google for example has chosen 35F9.1, with italics added by us for emphasis:
Declare this reason to access the system boot time in order to measure the amount of time that has elapsed between events that occurred within the app or to perform calculations to enable timers.
Information accessed for this reason, or any derived information, may not be sent off-device. There is an exception for information about the amount of time that has elapsed between events that occurred within the app, which may be sent off-device.
Although Apple's rule plainly states that uptime data cannot be sent off-device, Google Chrome appears to be doing just that, based on network data analysis from Bakry and Mysk. The rule does allow for an exception, but one that doesn't apply to Chrome.
"No, this exception is about using the system uptime on-device locally to order events for example," Mysk told The Register, explaining that Google has the option to transmit relative time intervals between two events but not the absolute device uptime number.
Mysk argues that Apple's "required reason APIs," like its Privacy Nutrition Labels, amount to privacy theater because there appears to be no enforcement.
"Just like the Privacy Nutrition Labels, developers are free to enter what they please," said Mysk.
"Apple doesn't seem to review if the description is accurate or not. While the nutrition labels are visible to the users, the required reason API isn't. So, it is not clear how that is going to prevent fingerprinting and enhance user privacy if Apple doesn't check the reasons developers submit."
Cupertino did not respond to a request for comment. ®
Updated to add on May 7
Google's spokespeople have assured us that, having looked into this issue, the data taken off-device is not used for tracking, and the software is working as expected.
“We’ve reviewed the research and determined that Chrome’s behavior does not violate Apple’s policy, and the data is not being used for fingerprinting,” a spokesperson told us.
“Instead, this data is being used to ensure proper device functionality.”
According to Google, the data being sent off device is not derived from the required reason APIs but is being used to maintain clock accuracy when affected by situations like time zone changes.