Hacker Read top | best | new | newcomments | leaders | about | bookmarklet login

"Many of these trackers are also available in the Apple iOS app store, though technical and legal barriers limit privacy and security analysis."

https://law.yale.edu/yls-today/news/isp-privacy-lab-publishe...

And from https://boingboing.net/2017/11/25/la-la-la-cant-hear-you.htm...:

"As Exodus and Yale note, these trackers are almost certainly also present in iOS: the companies that make them advertise their iOS compatibility, for one thing. But iOS is DRM-locked and it’s a felony – punishable by a 5-year prison sentence and a $500,000 fine for a first offense in the USA under DMCA 1201, and similar provisions of Article 6 of the EUCD in France where Exodus is located – to distribute tools that bypass this DRM, even for the essential work of discovering whether billions of people are at risk due to covert spying from the platform."



sort by: page size:

Exodus can detect a number of them: https://exodus-privacy.eu.org/en/

By installing their app, you can see the trackers for each app that you have installed. If you use Yalp store (an open source front-end for the Play Store), there is also a button to view trackers for each app.

Edit: just saw that you're on iOS. This is probably not allowed by Apple, so I guess there will be no alternative.


OK, so I can’t access that for unless I either:

- give consent for 3rd party tracking

- pay €10

Regarding their language, yeah, this is just a scare tactic. Remember how 95% of Facebook users on iOS opted out from tracking after the iOS 14.5 update?


"...We find real-world evidence of apps computing and agreeing on a fingerprinting-derived identifier through the use of server-side code, thereby violating Apple's policies and exposing the limits of what ATT can do against tracking on iOS...

...This is especially concerning because we explicitly refused opt-in to tracking in our study, and consent is a legal requirement for tracking under EU and UK data protection law...

...We find that Apple itself engages in some forms of tracking and exempts invasive data practices like first-party tracking and credit scoring from its new rules, and that the new Privacy Nutrition Labels were often inaccurate...

...Overall, our findings suggest that, while tracking individual users is more difficult now, the changes reinforce existing market power of gatekeeper companies with access to large troves of first-party data..."

https://arxiv.org/pdf/2204.03556.pdf


I never thought of Apple as caring much about privacy given the insane amount of third party tracking scripts loaded in apps on the AppStore. What I would give for LittleSnitch running on iOS...

My hearsay impression is that Apple can and do track in ways they prevent 3rd parties from doing on their platform.

>without [...] tracking

of the ios apps they listed:

apollo: has anonymous analytics

narwhal: has "Usage Data Advertising Data" under "Data Used to Track You" and "Data Linked to You", has anonymous analytics/usage/crash logs, and uses your device id

not exactly escaping much tracking here.


It's accessible by apps via API and they can use it to track users (as long as they pinky swear that they'll listen to the Opt-out switch as well).

Apples analogue is IDFA for which noyb also already filed a complaint - https://noyb.eu/en/noyb-files-complaints-against-apples-trac...


>Annoyingly, Apple recently removed the means to block such tracking from apps as well:

IMO, it's right decision. Blocking via VPN is a privacy nightmare. They can intercept all traffic.


Given their business models, maybe certain major apps would have refused to support iOS if they weren't allowed to track their users.

Engadget is not a good link. It's multiple links removed from the source. The article begins, "Apple will soon start cracking down on Apps that collect data on users' devices in order to track them (aka "fingerprinting"), according to an article on its developer site spotted by 9to5Mac."

https://developer.apple.com/documentation/bundleresources/pr...

https://9to5mac.com/2023/07/27/app-store-describe-app-api/

Also, Apple posted it here, which is likely where 9to5mac saw it: https://developer.apple.com/news/?id=z6fu1dcu

Simultaneous HN discussion: https://news.ycombinator.com/item?id=36900782


> You've never searched for something in a mobile app and then seen an add for it elsewhere? You don't think that tracking networks exist for mobile apps?

Well Apple decimated that ability with ATT. Facebook even admitted for instance they projected losing billions when Apple made cross app tracking opt in.

> The big difference is details like the fact that those mobile apps can't be used with adblockers or anti-tracking protections

https://cybernews.com/best-vpn/vpn-for-ad-blocking/

> This really genuinely is not a subjective take -- it is an objective fact that mobile platforms expose more fingerprinting and tracking vectors than browsers do.

You named one additional way that you can track on an app if a user uses a web view.

There are dozens of ways that websites can track you without your permission that aren’t available in apps.

> and allow for persistent storage and identifiers that are more difficult to construct on the web

Really? You can’t do persistent storage on the web that’s available cross site?

> And native platforms do not provide user-controller mechanisms like adblockers to reduce or eliminate trackers within apps. That is true of both iOS and Android.

In fact they do, I just cited a list of VPNs you can install.

> Generally no, on the web I use an adblocker so I don't see ads at all, let alone ads that follow me around. Notably, adblocking is not possible for native iOS applications

Good thing that every single person or even the majority of people use ad blockers…


Now if only they would extend that consideration to include the wast majority of people on this planet that do not own nor use any Apple products.

How many Android users are being stalked without knowing about it?

And yes, there are FOSS solutions on F-droid that partially solve this. But normal users wont know how to find them, and the onus is on Apple to supply an app with these kinds of features given that they are producing these trackers.

/edit: I just now see mentions of an official Apple detector app that does just what I mentioned (had completely hone by me). While I'd rather that there were no trackers like these made, this will at least do for now.

/edit2: It seems this official app requires users to actively scan for trackers rather than doing so from the background. That makes this a very weak attempt at appeasing the worries of non Apple users. Then the FOSS Airguard app is much better.


> It relies too heavily on trusting the very tracking companies that the policies are supposed to be protecting users against: Apple’s definition allows apps to secretly send any and all of your data to third parties, and as long as those third parties publicly claim they won’t link your data to other sites or sell it, it’s not considered “tracking” by Apple. It is a 100% trust-based honor system, which means that the only way for these companies to get caught “tracking” is to literally pen a public confession of guilt or wrongdoing — something that profit-driven companies are not exactly known for doing.

>...

>Not only do these trackers allow their clients to break Apple’s rules, but they specifically built features to help their clients easily circumvent Apple’s ATT privacy rules.

>First, we created a dummy app that used the Kochava tracking service. With just a few clicks, we configured Kochava to violate Apple’s “ATT Opt-Out” by asking it to tracking users across apps (using “IP address” and “User Agent”) for the purpose of ad targeting (“Paid Media”). Basically, Kochava made it really convenient for any app developer to violate even Apple’s narrow definition of tracking.

>We later performed the same test with the AppsFlyer tracking service (which, as previously mentioned, hides the data it sends off your device), and it was even easier to enable “privacy cheat mode” and track users against their consent — all it took was clicking a single button.

Wow.


The article just below it indicates users can opt-out but mobile tracking is such a big business I sm sure that if it actually is possible, it is not easy.

Anyone have good privacy resources for mobile/iOS. My phone security is nowhere near where it should be.


As the other comments mentioned, I meant purging trackers from iOS apps.

There's a privacy reason to do it but also a business reason. Apple shouldn't have apps on their platform with dependencies to major competitors like Google and Facebook. And it's probably going to be ruled illegal anyway after the GDPR cases get litigated, so it's better to get ahead of it.


It's not exactly clear to me based on the article or the ones linked if they are out of line with their own privacy policy. Denying app tracking on a specific app doesn't actually prevent the app developer from collecting analytics data. If they are breaking their own rules that's not entirely surprising and hopefully they are forced to follow them as well.

It is kind of sketchy that they have a way to turn off "device" analytics which one would assume is tied to apple's apps but that doesn't seem to be the case.


I find it illuminating that this website tries to load at least 7 trackers, including from Facebook and Google, and that scrolling is broken when they are blocked.

No current app store effectively blocks any of this, but I certainly imagine their envisioned free-for-all involves even more invasive trackers, to which I say "no thanks."

I hope Apple quadruples down on their privacy stance and starts blocking this BS that's built into apps.


Do you have some kind of source that would indicate that phone apps on iOS cannot possibly have any sort of 3rd party trackers?

No claims in the article were made regarding the iOS version of the app, so I don't know why we should jump to the conclusion that the iOS version doesn't track what you do and report to 3rd parties.

It looks like the iOS app was not included in the test at all, so no conclusion can be assumed.


Oh yes the fun thing about iOS is that the browser is super private so Google & Co have a problem but the apps themselves are also rife with trackers and there is almost no limit to what they do and barely any way to block it. I mean they only banned screenshots being taken of actual users' screens, which basically means anything that's less worse than that still goes.

As a consumer I would love a good scandal that would force them to tighten up on in-app trackers as well. But it might hurt my employers.

next

Legal | privacy