Apple’s App Tracking Transparency Framework Isn’t Foolproof, Study Claims

Apple’s App Tracking Transparency (ATT) framework, which was claimed to reinforce consumer privateness by limiting knowledge assortment, has been discovered to have some weaknesses that would permit app builders to proceed monitoring customers. An impartial examine has identified main loopholes within the framework, which Apple launched late final 12 months. The examine additionally particulars how Privacy Nutrition Labels within the Apple App Store, which had been launched by the Cupertino firm final 12 months, may not be correct for all apps and may very well be deceptive in some circumstances.

The group of researchers, which included an impartial researcher in addition to 4 laptop science consultants from the University of Oxford, analysed over 1,700 iOS apps to find out the scope and effectiveness of the App Tracking Transparency framework. After its preliminary announcement, this privateness function was delayed on account of implementation considerations however ultimately rolled out to Apple customers in December. The researchers noticed that whereas Apple’s determination to pressure app builders to make monitoring an opt-in function made it extra doubtless for particular person customers to decide on to say no, it is nonetheless potential for large-scale firms to trace individuals with out them realizing.

Apple’s App Tracking Transparency function rolled out after some delay
Photo Credit: Apple

“Making the privacy properties of apps transparent through large-scale analysis remains a difficult target for independent researchers, and a key obstacle to meaningful, accountable, and verifiable privacy protections,” the researchers stated within the 13-page paper.

The researchers discovered that the ATT framework does make it tougher than earlier than for app builders to trace customers, since they’re restricted to the restricted Identifier for Advertisers (IDFA). This is likely one of the causes that firms together with Facebook protested Apple’s transfer earlier than the general public launch of the framework, citing disruptions to their promoting fashions.

Now, the examine means that monitoring customers, even to a surprisingly granular stage, continues to be potential to some extent. The researchers even discovered references to Apple itself showing to interact in “some forms of tracking” and “invasive data practices” regardless of advertising privateness as a key function of its services.

To perceive the loopholes of the framework, the researchers analysed two variations of a complete of 1,759 iOS apps from the UK App Store: one model from earlier than iOS 14 and the opposite one which has been up to date to adjust to the up to date transparency framework.

“Many apps still collect device information that can be used to track users at a group level (cohort tracking) or identify individuals probabilistically (fingerprinting),” the researchers famous.

The researchers additionally discovered “real-world evidence of apps computing and agreeing on a fingerprinting-derived identifier through the use of server-side code” that seems to be violating Apple’s policies on privateness and knowledge use.

Of the overall 1,759 apps, the researchers stated that 74 of them failed through the set up and instrumentation course of. Analysis subsequently dropped to the remaining 1,685 apps. The researchers seen that 9 of those apps had been in a position to generate a mutual consumer identifier that may very well be used for cross-app monitoring utilizing server-side code. Those apps used an identifier generated by Alibaba subsidiary Umeng.

Some libraries, together with ones from Apple and Google, had been additionally discovered to be amongst probably the most broadly used monitoring instruments. As a lot as 80 % of the overall apps integrated no less than one monitoring library regardless of restrictions imposed by the App Store.

The new system additionally enabled Apple to trace its customers extra precisely, with a bigger share of promoting applied sciences, the analysis discovered.

In addition to the loopholes within the ATT framework, the researchers stated that Privacy Nutrition Labels, which have been in place since late 2020, should not correct in all circumstances and may very well be deceptive for some apps. The labels seem on listings within the App Store to assist customers perceive what forms of knowledge may be collected and used to trace them.

Apple’s Privacy Nutrition Labels may very well be deceptive in some circumstances, the examine suggests
Photo Credit: Apple

“We observed many apps that gave incomplete information or falsely declared not to collect any data at all,” the researchers stated.

It was additionally noticed that whereas the builders of bigger apps discover it simpler to adjust to the brand new insurance policies, much less fashionable apps “may still pose an unexpected privacy risk” on account of not declaring their monitoring parts. The researchers famous that these make up the overwhelming majority of apps obtainable on the App Store.

Gadgets 360 has reached out to Apple for a touch upon the examine and can replace this text when the corporate responds.

This shouldn’t be the primary time that Apple’s transfer to limit app monitoring has been discovered to have shortcomings. Shortly after the launch of the framework, a report by the Financial Times highlighted that app developer Snap had continued amassing knowledge from customers. The introduction of the framework and new privateness insurance policies additionally enabled Apple to grow its advertising business and negatively affected competitors together with Google, Meta, Twitter, and Snap.