iOS 17 is currently in beta and expected to roll out to the public in about a month, and when it does Apple developers will be looking at new restrictions on the use of certain APIs. The APIs in question are those that can potentially be misused for user fingerprinting, a common circumvention of Apple’s privacy rules governing data collection for targeted advertising.
The new rules will also apply to the new versions of tvOS, visionOS, watchOS and the forthcoming Mac Sonoma operating system. Apple developers that want to use certain APIs will have to submit an explanation of why they are necessary for program function, and restrict apps to only using them for that declared function.
Apple developers subject to new rules meant to counter user tracking abuse
Apple’s “App Tracking Transparency” (ATT) program fully rolled out with the release of iOS 14.5 in mid-2021, requiring developers to disclose any collection of personal information for targeted advertising and obtain affirmative consent from the user during app installation or updates. If users do not opt in, app developers are not given access to the unique device ID that facilitates personalized advertising. This had an immediate and dramatic impact on ad revenues, and some of the less scrupulous Apple developers shifted to user fingerprinting as an alternative (despite it also being made illegal under the ATT rules).
While user fingerprinting is not allowed (and can get Apple developers banned if caught), it is nevertheless often used as it can be made very difficult to detect. Apple is attempting to address the problem at the API level with its new requirements. Developers will have to explain the necessity of using particular API categories such as active keyboard, disk space, file timestamp, system boot and user defaults. All of these are commonly used to collect unique device signals that can be organized into a profile that tracks individual users across different websites and apps.
Apple developers will have a grace period of roughly six months to declare their reasons for using any of these APIs in the app’s privacy manifest. Reminder emails will start going out to developers in the fall if an app is uploaded without required reasons for the impacted APIs or if a description is not added to the privacy manifest file. The new rules will be enforced beginning in spring 2024 and can cause apps to be rejected or delisted from the App Store if they are violated.
Apple has also taken pains to note that user fingerprinting does not become legal when users opt in to an app’s ad tracking; any account engaging in any kind of fingerprinting at any time on an Apple device will be at risk.
Ongoing user fingerprinting battle has been a challenge for Apple
While the change will not guarantee that Apple developers will stop implementing user fingerprinting, it does at least provide the App Store with another badly-needed enforcement tool.
Facing potential devastation to their ad revenue models with the ATT opt-in rules, some Apple developers opted to test out stealthier forms of user fingerprinting. One of the primary methods has been to bury fingerprinting methods in SDKs that communicate server-to-server, keeping their activity in blind spots Apple has no visibility into. A late 2021 investigative report from the Washington Post identified a number of popular apps that appeared to be engaging in user fingerprinting, based on the large amounts of data they were “phoning home” with and some of the specific data points that could be identified. The report also noted that Apple was often unresponsive to outside security researchers that brought up concerns about the data that some apps were passing.
There are already concerns about how viable this new practice will be, as it relies on Apple developers to accurately self-report what the API is being used for. Follow-up policing will be required to check on this, and there are not yet any details available about how this will be handled. A lack of ability to keep up with the sheer amount of parties abusing the rules has been one of the key weaknesses of the user fingerprinting enforcement system to date.
For their part, Apple developers do have a legitimate concern that the new rules will increase the rejection rate of otherwise innocent apps. The soon-to-be-protected “User Defaults” API is very commonly used by apps to store user preferences, and some developers worry that it will become a source of unwarranted rejections as Apple likely implements an automated screening process to check up on compliance. Apple has said that there will be an appeal process, however, and that developers will be able to submit requests for an independent review of situations that may be mistakes or do not quite fall within the new guidelines.