Wednesday, September 29, 2021

App Tracking Transparency Doesn’t Stop Trackers

Johnny Lin and Sean Halloran:

Using the open source Lockdown Privacy app and manual testing, we found that App Tracking Transparency made no difference in the total number of active third-party trackers, and had a minimal impact on the total number of third-party tracking connection attempts. We further confirmed that detailed personal or device data was being sent to trackers in almost all cases. ATT was functionally useless in stopping third-party tracking, even when users explicitly choose “Ask App Not To Track”.


How could Apple have failed so miserably in stopping third party trackers with a feature named “App Tracking Transparency”? Digging into the answers for this question led us to discover the main cause: Apple’s narrow definition of the term “tracking”.


Instead, Apple has hijacked the term “tracking” to define it as something highly specific, and they’ve even placed their full definition of it in developer documentation, which of course no average iOS user will ever read. […] Based on our research, we found Apple’s definition of tracking to be misleading, counterintuitive, and confusing for these reasons[…]


Not only do these trackers allow their clients to break Apple’s rules, but they specifically built features to help their clients easily circumvent Apple’s ATT privacy rules.

Nick Heer:

The disconnect in these findings may be explained by the many apps that are following the rules, particularly those from smaller or independent developers — who cannot afford to incur the wrath of App Review — and from really big developers where it would be obvious if they did not comply. In the middle lies this assortment of apps not quite notable enough to attract attention — at least, until this study came out.


That aside, I do think the similarities between other permission prompts and the one for app tracking could be misleading. I do not think this is deliberate. But I can see how many people could view their effects similarly, even though the negative option is to “ask” for the app to comply with the user’s request instead of simply disallowing permission.

Matt Wille:

The investigation found at least three iPhone games — popular enough to make it to the top of the App Store charts — sending explicit user data to third-party advertising companies, even after the user has selected the option for their information not to be collected. And Apple has done nothing about those apps’ invasive methods, despite being alerted to them weeks ago.


6 Comments RSS · Twitter

Apple is a bully who lives by the mantra "Do as we say, not as we do."

@ Ben G: why is the onus on third-party apps not abusing tracking settings on _Apple_?

(On App Review, perhaps, sure. But that doesn't make Apple a bully. If anything, the story here is that Apple isn't _enough_ of a bully on tracking.)

@Sören As with the rest of App Review, it’s kind of a lost cause because there’s no way they can detect if the app sometimes honors the setting and sometimes doesn’t. They can only catch the obvious offenders.

@ Michael: I'm still holding out hope we'll eventually see an outright "prevent this app from accessing the Internet" toggle.

But yes, having Apple verify fine-grained privacy policies isn't very practical.

(One option might be some third-party directory/catalog-style website that shows audits of their own, where they use apps and tell us which unexpected connections they've made, with the payload, where possible.)

@Sören I want that toggle so much. The store should highlight apps that can work offline.

Kevin Schumacher

@Michael @Sören I've found 1Blocker's Firewall feature in v5 to be quite handy in that regard. It doesn't cut off internet access but it does eliminate contact with at least known trackers.

@Sören There is a site like that.

Leave a Comment