Apple toughens up app security with API control

Apple is at war with device fingerprinting — the use of fragments of unique device-specific information to track users online. This fall, it will put in place yet another important limitation to prevent unauthorized use of this kind of tech.

Apple at WWDC 2023 announced a new initiative designed to make apps that do track users more obvious while giving users additional transparency into such use. Now it has told developers a little more about how this will work in practice.

Eagle-eyed watchers will know this is a continuation of a war against tracking Apple launched when it limited website access to Safari browser data in 2018, and then again with iOS 14.5 in 2021, when it required developers get users’ express permission to track them. This has been a successful move and at present just 4% of iPhone users in the US permit apps to track them this way.

That statistic alone should convince any skeptics that Apple’s customers really want protection of this kind.

The new move takes aim at another set of tools used to track users, so-called fingerprinting. In brief, every device shares certain unique information that can be used to identify it. Such information might be screen resolution, model, even the number of installed apps. That data can be used to identify a device and track its journey between apps and websites. Of course, devices don’t move alone, so this same data can also be used to track users, and Apple absolutely rejects that.

Some APIs (Application Programming Interfaces) Apple and third parties provide to developers to enable certain features in their apps also provide information that can be abused for device fingerprinting.

As a result, at WWDC it told developers that in future use of such APIs will be subject to review and must also be shared with customers in the App Store privacy manifest for those apps. The idea here is that developers must prove a legitimate need to use those APIs, while customers get information to help them identify any apps capable of spying on them.  

It is worth pointing out that some of these controlled APIs may seem relatively minor. User Defaults, for example, is used to apply and carry user preferences for app colors or setting. However, distinctive information of that kind is precisely what is used to track devices, so there seems little harm in insisting developers overtly define their use, and where that data goes. One way such data is also used is to transfer settings between a developer’s own apps, but Apple has clearly seen instances in which some such uses have been problematic.

While there’s a quantity of bloviation in reaction to Apple’s latest announcement, most developers concede the changes are relatively minor. Developers building apps for Apple’s platforms that rely on these APIs must disclose that use when updating or submitting their apps as of fall 2023. The reasons given must be approved and the information given must be accurate; this won’t be a big problem for reputable developers, particularly those who already value user privacy.

Ultimately the idea behind this is to provide a confirmation that the code is only used for a legitimate purpose, so customers can make  more educated decisions when installing apps. The complete list of these controlled APIs is available on the company website.

From spring 2024, the regime gets tougher; at that time, the reason for using one of these APIs must be included in the privacy manifest.

That’s not to say every app using one of these things is a bad app. Apple admits as much when it says it will accept software that uses these codes for a valid reason. It is also not clear the extent to which these disclosures will be policed. Will Apple’s app review teams take a deep look at any such apps before approval? If they do, might this delay publication of otherwise benign apps?

That’s possible, but it does mean that Apple is making it increasingly difficult for application developers to mask privacy-eroding practices in their apps without at some point being forced to falsify elements of their privacy promises. If nothing else, this will make it far easier for Apple to evict apps that fail to honestly reveal their privacy practices.

It’s important also not to allow conversations about these matters to be side-tracked to the needs of advertisers and others who may feel they are making legitimate use of tracking and fingerprinting technologies. Given the challenges of online security and increasingly complex phishing attacks against high-value targets, personal data privacy becomes critical to protect business and infrastructure. Tools designed to track people online or in apps can be abused to create convincing attacks, and security across all its platforms is now one of Apple’s primary aims.

With this in mind, tracking tech must inevitably be replaced by more private measures of intent.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

http://www.computerworld.com/category/security/index.rss

Leave a Reply