Researchers found Apple apps still track users when they turn off analytics

So much for "what happens on your iPhone, stays on your iPhone"

While Apple champions itself as a privacy-conscious company, new research reveals several Apple apps collect detailed information about users, even when they turn off tracking.

The news should, unfortunately, not come as a surprise given previous research about Apple’s not-so-private privacy features. For example, Apple’s App Tracking Transparency, which supposedly lets iPhone users tell apps not to track them, doesn’t actually do that much. Now, research shows that the iPhone Analytics setting, which promises to “disable the sharing of Device Analytics altogether,” doesn’t do anything for Apple apps.

According to research shared with Gizmodo from app developers and security researchers Tommy Mysk and Talal Haj Bakry, several iPhone apps, including the App Store, Apple Music, Apple TV, Books, and Stocks, all ignore the iPhone Analytics settings and other privacy settings. Germany-based Mysk and Toronto-based Bakry work for the Mysk software company and frequently share research on the Mysk Twitter account and blog. Regardless of whether users turned these settings on or off, these iPhone apps would send the same amount of data to Apple.

For example, the App Store appears to harvest data for just about everything users do. That includes which apps they tap on, search queries, ads users see, and more. It also sent data about the device users have, including ID numbers, screen resolution, keyboard languages, and more. These data points are all commonly used for fingerprinting, a tracking tactic that gathers a bunch of data to create a digital fingerprint that can be used to track activity across apps and services. Other apps shared data about what users did in those apps, such as which stocks they viewed in the Stocks app.

Notably, the researchers tested other apps for Gizmodo and found that the Health and Wallet apps didn’t transmit any analytics data regardless of the settings.

Mysk and Bakry tested two iPhones, a jail-broken iPhone running iOS 14.6 and a regular iPhone running iOS 16. With the jail-broken iPhone, the duo was able to decrypt the traffic being sent from the phone and examine what was being sent. Part of why they chose iOS 14.6 was because Apple introduced the App Tracking Transparency feature in iOS 14.5, which included the prompt asking users if they wanted to allow an app to track them.

While they couldn’t decrypt the traffic sent from the iPhone running iOS 16 to see what data was being sent, Mysk and Bakry noted that the same apps sent similar packets of data to the same Apple web addresses as what they found on the jail-broken iPhone. Moreover, data was transmitted at the same times and under the same circumstances, and adjusting the various privacy settings made no difference. The similarities suggest that the regular iPhone was transmitting similar data to what the researchers could see on the jail-broken iPhone.

It’s possible Apple doesn’t use the information it receives if the privacy settings are turned on, but then why collect it in the first place? Moreover, Gizmodo notes that Apple’s privacy policy suggests the iPhone Analytics setting doesn’t work that way anyway. Moreover, Mysk and Bakry said third-party apps they test don’t send data when the analytics settings are turned off.

What makes Apple’s data collection particularly egregious is that the company has long promoted itself as the private option. Remember the massive billboards Apple put up around Toronto advertising how it stays out of your business? Anyway, Apple doesn’t think its tracking behaviour is actually tracking. As Gizmodo pointed out, Apple says its “advertising platform does not track you, meaning that it does not link user or device data collected from our apps with user or device data collected from third parties for targeted advertising or advertising measurement purposes, and does not share user or device data with data brokers.” Put another way, Apple’s tracking isn’t tracking because only Apple collects that data, which seems like a very Apple-friendly view of tracking.

Source: Gizmodo

Related Articles