Rear view of triple camera array on iPhone showing app tracking rules

Investigation Finds Apple App Tracking Rules May Be Ineffective; IDFA Blocked, but Apps Frequently Access Other Identifiers

Apple’s new app tracking rules (the App Tracking Transparency framework), set in place with the release of iOS 14.5 several months ago, are supposed to guarantee that users know when they are being identified and tracked by an ad-supported app and given the ability to opt out. A new study conducted by the company behind the ad blocking app Lockdown and the Washington Post indicates that, at least in the early going, apps are continuing to find ways to identify and track users even after they choose to opt out.

By and large, iPhone apps are respecting Apple’s requirement to not access the Identifier for Advertisers (IDFA) unique to each device. What they are not respecting is Apple’s prohibition on device fingerprinting techniques as an alternate means of app tracking. A number of popular apps have been found to be continuing to send identifying combinations of data points to third-party tracking companies. In addition, ad performance tracking software tied to these advertising networks has been found to allow app developers to override user tracking preferences by simply flipping a toggle switch.

App tracking report finds app developers testing apple early on device fingerprinting rules

The report scrutinized the permissions and data transfer of 10 popular and frequently-downloaded apps, including games that the App Store recommends on its “must play” list.

All of these apps appear to be following the new app tracking rules, informing users upon download that the app would like to use the IDFA to gather information about device activity and use it to serve personalized ads. The apps also allow users to opt out (as required).

In the background, the apps continue to collect a series of data points that can identify the end user in the same way the IDFA does. There are several dozen of these that are not enough to track a user on their own, but can be combined in unique ways to pinpoint an individual user with a high degree of accuracy as they browse the web or move on to different apps that are plugged into the same advertising network. For example, an app that does device fingerprinting might combine the user’s time zone, language settings, cellular carrier, total storage space on device, audio settings, iPhone model and preferred screen brightness into a profile that follows them around online. Some apps take an even more direct approach and simply access the device name that users are free to customize.

When Apple rolled out its new app tracking rules for iOS 14, it expressly forbade using device fingerprinting as an alternative means of tracking. But so long as app developers keep their promise to not access the IDFA, there remains a great deal of wiggle room inside a cloud of lax enforcement and plausible deniability about what device settings and permissions are necessary for the app’s core functions.

App developers are sending this device fingerprinting data to outside advertising firms; the report names Chartboost and Vungle as two commonly used by popular App Store apps. With millions of apps to oversee, Apple mostly relies on user flagging and reporting to identify apps that might be breaking these rules. But this fingerprinting process is not transparent (or even evident) to the user, requiring an above-average level of technical investigation to identify.

The researchers flagged their findings and sent them to Apple, but reported that after several weeks the company had taken no action. The study found that opting out of app tracking only reduced the amount of fingerprinting activity by about 13%.

Ad industry in open revolt?

The online ad industry by and large leans on personalized advertising because it is much more effective than traditional and more general means. When Apple announced that it was effectively cutting it out of their devices, there was much consternation as these advertisers had no comparable techniques or technology to replace it. This has apparently led many to test Apple’s willingness and ability to enforce its no-fingerprinting rule, something that is difficult to do given that what the apps are actually using this collected personal information for is hidden away from scrutiny on their servers.

Another issue uncovered by the report is that ad performance measuring software appears to allow data brokers to ignore and override user app tracking preferences with little effort or fear of reprisal. Two commonly-used pieces of performance tracking software, AppsFlyer and Kochava, have a simple toggle switch that allows the client to ignore user tracking preferences when turned on. The feature is technically allowed because Apple permits tracking without opt-in so long as it stays in the app’s first-party ecosystem; it’s supposed to be used for that circumstance alone, but users of this software appear to be on the honor system. AppsFlyer and Kochava have said that it is Apple’s job to enforce its own rules.

In addition to plausible deniability, advertisers smell weakness on Apple’s part as there has yet to be a significant wave of enforcement action. Apple made an example of a data broker called Adjust that was caught engaging in device fingerprinting by rejecting its app updates. However, that was in April, and since then there has been little activity of note from Cupertino on illicit app tracking.