Hand holding Apple iPhone and Android phone showing same app privacy

Oxford Study: iPhone App Privacy Not Superior to Android, Equal Amounts of User Tracking Seen on Both Platforms

An in-depth study from the University of Oxford has examined 24,000 Apple App Store and Google Play apps, and found that Apple’s “walled garden” approach has not necessarily made a difference in terms of app privacy. Users of both platforms can expect “broad” third-party tracking by advertisers, and iOS apps actually performed much more poorly in terms of protecting the location data of children.

The study was done on apps available in 2020, which means it does not incorporate Apple’s iOS 14.5 “App Tracking Transparency” framework. That update merely guarantees that the unique Apple device identifier (IDFA) is not used for tracking purposes without user consent, however; as other recent studies have shown, device fingerprinting remains rampant on the App Store even though it has been banned by Apple.

Study raises more questions about Apple app privacy

Apple’s privacy-first branding is one of its leading marketing points, all the more so now that it has butted heads with the digital advertising industry over its iOS 14.5 updates. There is something of an inherent assumption that the App Store is a safer place to browse and download than the Google Play Store is. While that may be true in terms of virus and malware risk, the Oxford study indicates that users are just as likely to be profiled and tracked around by targeted ads on either platform.

The study finds that app privacy violations are “widespread” on both platforms, and that “potential violations of US, EU and UK privacy law” can be found fairly readily on both. This is in spite of more stringent app store measures from Apple even before the iOS 14.5 privacy update. Apple’s review process for all apps is more strict, and the company has banned third-party tracking in children’s apps for several years now.

Nevertheless, that very thing is not only occurring but appears to be happening more often than it is with Android apps. The study notes that issues such as this are poorly documented as prior studies of this nature have focused on security rather than app privacy, particularly as concerns tracking for targeted advertising that is technically legal but widely considered to be invasive and a nuisance by end users.

This unique approach was supported by a custom purpose-built tool built to analyze 12,000 apps from each of the app stores. This is particularly groundbreaking in terms of iOS analysis, as Apple’s digital rights management (DRM) protections make it difficult to analyze app code.

Apple app evaluation

One aspect examined by this app privacy evaluation methodology is the use of known tracking libraries. Both platforms had a median number of three tracking libraries, and comparable percentages that contained at least one (88.73% for Android vs 79.35% for iOS). About 3% of the apps on both platforms contain more than 10 tracking libraries. Only a small percentage on both platforms apply data minimization principles, something required by the EU’s General Data Protection Regulation (GDPR).

Another aspect of app privacy is the amount of permissions that apps tend to ask for. At first glance, Android apps request many more permissions. However, the study finds that iOS apps are more likely to request cross-platform permissions that are the greatest risk for access of sensitive user data.

Data sharing in network traffic is another indicative factor. Android apps were almost twice as likely to contact a tracking domain when the app initiates, but the majority of these were contacting Google’s own advertising service; Apple apps are more likely to contact a third-party tracker. This is another area where the companies may be in violation of both the GDPR and the comparable UK privacy bill, as both require that user consent be collected before any third-party tracking takes place.

Another potential legal issue exists due to the frequency of overseas data transfers. Of the companies that user data is sent to, the United States was home to about 93% for Android apps and about 83% for iOS. This could be a problem under GDPR rules as transfers of personal data to the US are currently forbidden unless the individual company has obtained an adequacy decision from EU regulators.

The study establishes that there is no clear “winner” in terms of app privacy, and indeed Android does fall short of iOS in a number of areas. However, the battle is far from being tilted to Apple’s favor. Apple can make the claim that iOS 14.5 and beyond have made a significant dent in this problem, but until the company takes significant steps to curb digital fingerprinting on the platform it is likely that the privacy situation stays as a toss-up between the two mobile giants.