iPhone apps and games track you, even if you ask them not to

Apple's App Tracking Transparency feature blocks access to a device's advertising ID, but apps don't need it to track you

Surprise, surprise: it turns out some iPhone apps still track users even when they use Apple’s new App Tracking Transparency feature to avoid being tracked.

For those who may not be familiar with it, Apple added App Tracking Transparency in an update to iOS 14 earlier this year. The feature lets users block apps from accessing their device’s Identifier for Advertisers (IDFA), a sort of advertising identification number tied to a device. The change should prevent apps from sharing data gathered about you from your iPhone or iPad with third-party companies (for example, Instagram could still share data with Facebook since they’re the same company).

Unfortunately, what should happen and what does happen are often completely different things. And according to an investigation from The Washington Post in conjunction with privacy-focused app developer Lockdown (via Input), some apps and games ignore users’ settings.

Of the ten apps studied, Lockdown found that none stopped tracking when users asked not to be tracked. The investigation found at least three popular iPhone games, including Subway Surfers, sent user data to third-party advertising companies, regardless if users had enabled App Tracking Transparency. Worse, the investigation found that Apple had done nothing to stop it, despite being alerted to the issue.

Blocking IDFA access doesn’t matter because apps can fingerprint users with other data

Here’s the thing — blocking an app’s access to your IDFA actually works, in the most barebones, basic way. The apps studied in the investigation didn’t have access to users’ IDFA and didn’t use it for tracking. Instead, they effectively created their own IDFA for devices by gathering various other metrics.

Going back to the Subway Surfers example, the investigation found it sent 29 data points about users’ devices to an ad company called ‘Chartboost.’ Some of the data points included users’ IP address, remaining free storage, current volume level, accessibility settings, device name, time zone, country, carrier and more.

Gathering a bunch of device data like this is actually a common tracking tactic called fingerprinting. By gathering a large amount of seemingly innocuous data about a users’ device, companies can effectively track that device (and, by extension, the user) across various apps and platforms.

Few of the developers behind the apps responded to requests for comment from The Washington Post. However, Subway Surfers developer Sybo did, and claimed it gathered the data “for the game to function properly.” While maybe some of the data points could help the game work — for example, getting accessibility settings could help the game accommodate users who rely on those options — most of the data should have no impact on the function of the game.

Apple needs to do more if it wants to be a privacy-first company

More than anything, the investigation demonstrates that Apple’s App Tracking Transparency feature is, ultimately, not that helpful. Worse, it may even be detrimental by lending users a false sense of security. Apple’s effectively telling users that they don’t have to worry about being tracked if they enable the feature. App Tracking Transparency also bolsters the company’s privacy-first image — I’ve seen plenty of social media posts about how App Tracking Transparency convinced people to switch from Android to iPhone to improve their privacy.

If Apple were really serious about privacy, it would add fingerprinting protection to iOS to reduce or hopefully stop tracking practices like this. In its current form, App Tracking Transparency is, at best, shallow marketing. At worse, it’s detrimental to user privacy by tricking people into thinking they’re protected when they aren’t.

Source: The Washington Post, Lockdown Via: Input