Scrambling to find a way around Apple’s new app tracking rules, publishers have come up with a fingerprinting technique that is able to fly below the radar. It’s no less against the operating system’s rules than any other method, but it’s more likely to succeed as it hides the forbidden activity on the server side.
“Server-to-server” fingerprinting obscures app tracking activity by blending requests for device information in with legitimate processes, only engaging in the telltale signs of illicit user identification after the data has reached the remote server. While Apple might suspect app developers that request certain profiles of user information of doing fingerprinting, it is very difficult to prove without server access.
App tracking transparency framework pushes desperate marketers to do desperate things
The new App Tracking Transparency framework implemented by Apple (as of iOS 14.5) will require end users to give affirmative consent to be tracked. Developers and publishers believe that the vast majority of the iOS market will not consent, leading to a major loss of ad revenue.
That has put the ad networks in a corner, to the point that the only viable option for some ad-supported apps will be to pull out of the App Store entirely. That is, unless they can find a way to break the rules without being caught.
Device fingerprinting, which identifies devices based on a unique combination of qualities, can virtually replicate the Apple Identifier for Advertisers (IDFA) app tracking functionality that is lost when an end user withholds their consent. Apple has banned all types of device fingerprinting, but detecting it isn’t always a simple matter.
Apple has already begun rejecting apps and blocking updates that make use of SDKs known to engage in device fingerprinting. The response from some developers is to take the fingerprinting process underground. Apple has visibility into what information apps pass back to servers, but the information used for device fingerprinting can also be collected for legitimate reasons of app function that are within the terms of service. Once that information hits the server, it is effectively beyond the reach of Apple. Apps that use server-to-server fingerprinting are essentially moving all of the actual fingerprinting work farther down the chain where Apple cannot see what is going on.
Apple may suspect that an app that is harvesting all sorts of user data is doing so for targeted advertising purposes, but so long as the app has plausible deniability (legitimate reasons for accessing that data) it will require individual investigation. Some advertising companies seem to be betting that they’ll be able to stay one step ahead as Apple struggles to enforce its new app tracking rules.
Fingerprinting being sold to publishers
Apple’s main strategy to counter illicit fingerprinting appears to be relying on app publishers to stay within the rules out of self-interest, refusing to work with SDK developers that pitch what appear to be fingerprinting techniques and possibly notifying Cupertino of them. If the app incorporates fingerprinting and Apple later detects it, it runs the risk of being banned from the App Store.
The weak link in the server-to-server fingerprinting scheme is at the sales end. Most apps do not incorporate their own app tracking code, but instead rely on third-party SDKs provided by marketing specialists. The ad tech marketers will have to sell app publishers on the benefits of their product, and in doing so will likely reveal that they are using banned fingerprinting techniques by promising results that could not be possible otherwise.
Some may be willing to run the risk if the alternative is closing up shop on iOS. Facebook, the most vocal critic of Apple’s new app tracking rules to date, has said that it expects to lose 7% of its annual revenue; insiders have speculated that it stands to lose even more. The ad industry predicts that about 70% of the iPhone market will opt to tune out app tracking when presented with the choice. While Android has a much broader market, Apple users are considered the most lucrative of the mobile phone demographics.
Apple also faces an open challenge to its device fingerprinting rules from China, where the China Advertising Association (representing major figures in the tech industry including TikTok parent ByteDance) has announced that it is developing its own advertising identifier standard that appears to run counter to Apple’s new rules. Apple has already warned Chinese companies that it will not allow any sort of device fingerprinting, but the country’s tech firms may simply keep trying new techniques to track users until they can slip one by (or may be counting on the government to get involved on their behalf.)