Wednesday, November 9, 2022

Analytics in Apple Apps

Thomas Germain:

The iPhone Analytics setting makes an explicit promise. Turn it off, and Apple says that it will “disable the sharing of Device Analytics altogether.” However, Tommy Mysk and Talal Haj Bakry, two app developers and security researchers at the software company Mysk, took a look at the data collected by a number of Apple iPhone apps—the App Store, Apple Music, Apple TV, Books, and Stocks. They found the analytics control and other privacy settings had no obvious effect on Apple’s data collection—the tracking remained the same whether iPhone Analytics was switched on or off.


The App Store appeared to harvest information about every single thing you did in real time, including what you tapped on, which apps you search for, what ads you saw, and how long you looked at a given app and how you found it. The app sent details about you and your device as well, including ID numbers, what kind of phone you’re using, your screen resolution, your keyboard languages, how you’re connected to the internet—notably, the kind of information commonly used for device fingerprinting.

Tommy Mysk (Hacker News):

It seems that the #AppStore app on iOS 14.6 sends every tap you make in the app to Apple.


It’s unclear if Apple still collects analytics data in iOS 16, even when sharing analytics and personalized recommendations are switched off. Regardless, the App Store already knows a lot about our behavior and how we explore apps.

David Price:

But this seems more of a question of intent than one of technology, given that the tracking was happening amid the implementation of high-profile pro-privacy measures. It’s hard to see why Apple would still have been harvesting usage data under iOS 14.6 and then backtracked in a later update without any obvious motivation.

Indeed, if anything Apple has shifted its business model in the opposite direction since the heady days when App Tracking Transparency was being trumpeted as the future of user privacy.

I assume that most of the major third-party iOS apps do this, too. The difference is that, because Apple’s privacy marketing has been so successful, people assumed that it didn’t. Of course, Apple defines things so that it’s not “tracking” if the data isn’t linked to you personally and isn’t shared with other companies. But it still seems a bit creepy and not what you would expect to happen if you’ve turned off analytics and personalized ads in Settings. There’s apparently no switch to prevent iPhone from phoning home.


Update (2022-12-01): Tim Hardwick:

Apple is facing a proposed federal class action alleging that it records users’ mobile activity without their consent and despite privacy assurances, in violation of the California Invasion of Privacy Act, reports Bloomberg.

See also: Hacker News.


3 Comments RSS · Twitter

I wonder how many people know that their iPhones report to Apple how many phone calls and emails they send and receive (from the App Store Privacy page).

I think Apple necessarily would need to know what you search for and what apps you tap on, because they’re serving the store assets. That said, they could (and should!) leverage Private Relay until you make a purchase, and there’s no reason to track how long you’re looking at individual pages. Frankly, it’s gross. No analytics should mean no analytics, period. There ought to be more than enough Apple users who leave analytics enabled to fulfill whatever misguided goal they’re hoping to achieve with non-consensual collection of analytics. (Somehow Apple software was more functional and reliable before the scourge of analytics in everything all the time… why must everything be so miserable?)

@vintner Apple *claims* these values are used to derive a device trust score. That said, whether we can trust their claims of irreversibility is a valid concern. (I also don’t like the device trust score in general since it seemingly relies on the device being locked down to prevent tampering with the value.)

“To help identify and prevent fraud, information about how you use your device, including the approximate number of phone calls or emails you send and receive, will be used to compute a device trust score when you attempt a purchase. The submissions are designed so Apple cannot learn the real values on your device. The scores are stored for a fixed time on our servers.”

Leave a Comment