Friday, September 13, 2019

User Tracking via Custom Fonts

Peter Steinberger:

Firebase Crashlytics installs its own font?


Crashlytics will only install the font for users who have registered to install pre-release apps via the Beta by Crashlytics product. The font includes a unique identifier that allows us to determine that a crash has come from an app distributed via our Beta product.

Ben Sandofsky:

Turns out custom fonts can be abused for tracking users.

Jiang Jiang:

Yes, that is why Safari is not allowing user installed font access, and the new iOS 13 font installation feature always require user consent to access any user install font.

John Gruber (tweet):

Most users, I suspect, would just allow this, thinking fonts are harmless — but at least those of you reading this are forewarned.

3 Comments RSS · Twitter

It wasn’t clear to me from Crashlytics’ tweet that the tracking was at the user or device level. As described, and if taken at face value, it sounded like the crash reports for some reason by default don’t contain information that identifies the software as being part of the beta program. So no beta-unique identifier or version number.

And, I would guess, this means that the special font appears in the CrashReport in some way, if the app is downloaded through this beta program.

On the other hand, it seems like it would be much easier to find a way to vary the release or version numbers accordingly.

They seem pretty up front in that Twitter thread.

We were going for no tester login, so it was a real challenge to make a per-tester identifier available to the app under test.

And they say they don't use the font method any more.

But it does sound like "per-tester" means a specific id in the font? Idk. I'm going to be a little more aware when something asks to download a font now. Should probably review the ones I have on each platform.

>But it does sound like "per-tester" means a specific id in the font?

Yeah, they must be generating a custom font for each person.

Leave a Comment