Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Apple IT Technology

Apple Cracking Down on 'Fingerprinting' With New App Store API Rules (engadget.com) 36

Apple will soon start cracking down on apps that collect data on users' devices in order to track them (aka "fingerprinting"), according to an article on its developer site. Engadget writes: Starting with the release of iOS 17, tvOS 17, watchOS 10 and macOS Sonoma, developers will be required to explain why they're using so-called required reason APIs. Apps failing to provide a valid reason will be rejected started in spring of 2024. "Some APIs... have the potential of being misused to access device signals to try to identify the device or user, also known as fingerprinting. Regardless of whether a user gives your app permission to track, fingerprinting is not allowed," Apple wrote.

"To prevent the misuse of certain APIs that can be used to collect data about users' devices through fingerprinting, you'll need to declare the reasons for using these APIs in your app's privacy manifest." The new rules could increase the rate of app rejections, some developers told 9to5Mac. For instance, an API called UserDefaults falls into the "required reason" category, but since it stores user preferences, it's used by a lot of apps.

This discussion has been archived. No new comments can be posted.

Apple Cracking Down on 'Fingerprinting' With New App Store API Rules

Comments Filter:
  • by gnasher719 ( 869701 ) on Friday July 28, 2023 @04:17PM (#63722690)
    On one application that I wrote, we needed to know whether the user had changed the clock on their phone or iPad. You can get a notification while the app is running, but nothing if they change it while the app doesn't run.

    Now the interesting thing is that on ios setting your clock one hour forward also changes the boot time one hour forward. So when the app launched, we checked the boot time and whether it had changed significantly. (It does change say a second because your clock is not 100% accurate when you get corrections from the time server). It also changes obviously when you reboot, but I only needed to know whether I could trust the clock.

    So that code asks for the boot time, which now needs permission, but what I really want to know is whether the clock has changed (significantly) since I last checked, apart from the obvious one second change every second. So I'd like an API for that please. Not for the boot time which I don't actually care about.
    • Just compare the difference between the UTC time provided by a time server, like time.gov, and the local time on the device. Save the difference in storage, then later, compare the difference against the previously saved difference. No special permissions needed.

  • I'm still undecided between an iPhone or buying an Android phone and installing Lineage OS. Are there apps that refuse to work in Lineage OS, like bank apps?
    • by Charlotte ( 16886 ) on Friday July 28, 2023 @04:27PM (#63722706)

      Say bibi to any bank or payment app on a rooted phone. If you need it for work then you're probably out of luck as well if it needs to VPN in for email.

      • You really shouldn't talk out of your ass. Clearly misinformed. Probably and iuser trashing on Android.
        • They act as a DRM which prevents modified apps from running, while also providing methods to detect if a user is running a custom ROM or if the existing ROM has been rooted.

          As Android ROMs ship with a cryptographically-signed immutable system volume and a separate user partition, the latter of which having nosuid, nodev etc. mounts, this means that one needs to make serious changes to spoof being a legitimate, unmodified device for many apps to continue to run as normal.

          This DRM is being encouraged fo
          • Freedom is now reserved only for those who give up Google services and stick to F-Droid as their repository.

            Yep. And I found the F-Droid app to be a bit hit and miss both with and without play services. My phones running the official software have generally been quite reliable, if sometimes outdated. My Moto phone is only getting security updates now, but it's not affecting my life in any way as I'm not eager to have it changing on me.

    • Yes but you can mask root using Magisk

  • Seemingly every apple product within bluetooth range broadcasts it's unique bluetooth address. I can easily have a database of unique IDs passing by. Check it out for yourself with AirGuard or similar.
    • Seemingly every apple product within bluetooth range broadcasts it's unique bluetooth address. I can easily have a database of unique IDs passing by. Check it out for yourself with AirGuard or similar.

      It's an integral part of how AirTags and Apple's most-excellent ad-hoc and zeroconf "Find My. . ." Feature works.

      You can easily turn it off and hope your Device never gets lost or stolen. . . It's up to you!

    • by teg ( 97890 )

      Seemingly every apple product within bluetooth range broadcasts it's unique bluetooth address. I can easily have a database of unique IDs passing by. Check it out for yourself with AirGuard or similar.

      They actually use Bluetooth address randomization [apple.com] to reduce the ability to track using this method,

  • by bubblyceiling ( 7940768 ) on Friday July 28, 2023 @04:23PM (#63722702)
    Good, we need to do more to shut down the predatory advertising industry, Marketing is one thing, but this new internet ad industry is highly detrimental to society
    • by tlhIngan ( 30335 )

      Good, we need to do more to shut down the predatory advertising industry, Marketing is one thing, but this new internet ad industry is highly detrimental to society

      Don't worry, the EU will make Apple reverse the decision. After all, those poor EU advertising agencies would be put at a disadvantage because of this rule. After all, Germany is all but one country in the EU [cnbc.com].

      And because of the DMA law, Apple would have to open up the app marketplace, so whatever effect this will have will be short lived.

      • This still means Apple can enforce Notary Service and App Sandbox checks, requiring the exact same security and privacy standards to match what is in their store right now. Developers would still have to educate users on how to safely install their applications from their website, all while competing with an entire library of GPLed FOSS software which would have previously been disallowed on the App Store due to the requirement to also share source code for every release. No EU business will win as a result
    • You actually think this is any more that just posturing? It'll be as effective as the nutrition labels... which is to say not at all.
    • Re: (Score:2, Redundant)

      by Tony Isaac ( 1301187 )

      this new internet ad industry is highly detrimental to society

      You mean, like the internet ad industry that Apple is engaged in, to the tune of $7.5 billion this year?

      https://www.investors.com/news... [investors.com].

  • Of course (Score:2, Insightful)

    They apps are competing with apples ad business, only apple can get data on it's customers.
  • Given the fact that NSO software has been used by governments to kill journalists, this goes beyond targeted advertising. This will prevent intelligence agencies from following specific people. Given that they have been using Google cookies to track people (https://www.washingtonpost.com/news/the-switch/wp/2013/12/10/nsa-uses-google-cookies-to-pinpoint-targets-for-hacking/), they undoubtedly use fingerprinting to do the same, whether it's by doing it themselves or purchasing the fingerprinting data from dat
  • by Weirsbaski ( 585954 ) on Friday July 28, 2023 @06:28PM (#63722908)
    This is data gained through OS-provided API's, right? Instead of rejecting the apps, Apple should straight-out lie to the offending apps.

    Can't explain why you need location data? Then half the time the OS says the device is $RANDOM_CITY, and the other half it reports $RANDOM_COUNTRY. Can't explain why you need a list of installed fonts? Then all the OS ever reports is the list of fonts provided in a basic, clean OS install. Any of course any pseudo-unique identifiers (like ethernet MAC addy) get random numbers.

    Besides cutting down on fingerprinting, this would be oddly satisfying.
    • I like this idea - just give the user the option to use total random crud to whichever apps they don't trust - and turn it on by default. Or choose it to profiles adverts you are not interested in. Like, erm, I'm not interested in nappies - so I could set that up for an app - and then see if / where I start getting loads of dog nappy adverts. Wonder if /. is going to profile my (fictional) fascination with dog nappies..
    • Sure, but why? That actually requires work. Look how many people in this thread patted apple on the back AND THEY HAVEN'T DONE ANYTHING LOOOOL. As I've pointed out outside elsewhere here, their privacy labels are provably garbage

% APL is a natural extension of assembler language programming; ...and is best for educational purposes. -- A. Perlis

Working...