back to article Apple demands app makers explain use of sensitive APIs

Apple has told developers writing apps for its shiny stuff that they will soon have to explain why their programs use certain sensitive APIs. Cupertino claims it's doing so to discourage app makers from trying to track users through digital fingerprinting. "Some APIs that your app uses to deliver its core functionality — in …

  1. Vometia has insomnia. Again. Silver badge

    Really?

    "Apple, Google, and others have taken steps to improve privacy on the web and in native apps"

    Did you actually manage to write that with a straight face?

    If you mean their efforts at maintaining a monopoly on collecting users' data, that doesn't really count, for obvious reasons.

    1. Lil Endian
      Big Brother

      Re: Really?

      "...fingerprinting is not allowed."

      Flabbergasted and speechless[1].

      [1] Oh! How they cheered! :)

    2. chuckufarley Silver badge
      Pint

      Re: Really?

      Straight face or straight whiskey?

    3. Marty McFly Silver badge
      Megaphone

      Re: Really?

      "Apple, Google, and others have taken steps to improve privacy on the web and in native apps"

      The statement is accurate as written.

      "Web and native apps" are where all the rookies play. Squashing their n00b abilities prevents them from growing up and being a threat to the dominate players. Even better to do it under the banner of 'privacy'.

      Tracking users across their devices, mapping their locations, charting their associations...that is where the big kids play. Goopple has a huge and secret market tracking humans (as opposed to users) as they go about their day-to-day activities.

      Advertising is just one part. I'll just bet your health & auto insurance providers would like to know if you stop at the liquor three times a week, and will pay Goopple for that information. Or law enforcement will pay for a dragnet report of everyone who was near when a crime occurred. The list of possible abuses to that data is long & dark, and we should wary of it all. But for Goopple, that is where the big money is.

  2. karlkarl Silver badge

    "I am using the sensitive API to make more money from the mugs that use my app"

    I am sure this will be enough of an explanation to satisfy Apple. It is the exact same reason as them after all.

    1. CowHorseFrog Silver badge

      "I am using the sensitive API to make more money from the mugs that use my app and heres your 50%"

  3. Anonymous Coward
    Anonymous Coward

    I thought I was buying a phone, turns out I was buying a slot machine / spy device.

    If it has the word intelligent or smart in its name, it is neither

  4. Anonymous Coward
    Anonymous Coward

    "Apple, Google, and others have taken steps to improve privacy on the web and in native apps"

    Only Apple actively protects privacy as their business model is not depending on advertising revenue and selling user data (as a matter of fact, they have worked out that that protection actually helps their sales). The likes of Google are merely pretending to do so because they otherwise lose the source of their income wholesale through, for instance, annoying privacy legislation.

    There is quite a difference in motivation between those two groups.

  5. An_Old_Dog Silver badge
    Joke

    Explanation Given to Apple for Use of Sensitive APIs

    Just cut-and-paste the output of, "Dear Chat-GPT3: Explain to Apple how my app uses sensitive APIs".

  6. Anonymous Coward
    Anonymous Coward

    Fingerprinting? How Much Time Have You Got?

    (1) MAC

    (2) IP address

    (3) User account (AC in this case)

    (4) ...stuff from the cookies from the current session.....

    Ha...then there's the smartphone user....

    (5) Mobile provider

    (6) Mobile provider account

    (7) Mobile phone number

    (8) Details provided when the app was loaded (including items #5, #6, and #7)

    (9) More stuff from current data on your smartphone.....

    (10) GPS coordinates right now

    .....and so on.....

    .....but wait......there's more.......

    (11) Have you done any credit card transactions recently (say in the last few minutes)?

    (12) Have you scanned any QR codes recently (say in the last few minutes)?

    (13) Maybe your Bluetooth client has noticed some "Find My" tags in the last while?

    ....and so on.....

    But....take note....YOU WILL HAVE NO IDEA THAT ANY OF THE ABOVE HAS BEEN REPORTED TO SOMEONE ELSE!!!!

    Quote (William Burroughs): "The paranoid is a person who knows a little about what is going on."

    1. DS999 Silver badge

      Re: Fingerprinting? How Much Time Have You Got?

      Many of those are protected by settings, i.e. if an app isn't allowed to access location then "GPS coordinates right now" are not available. I'm pretty sure no app is allowed to access recent credit card transactions, recent QR code scans (other than ones the app itself scanned if it was allowed access to the camera) Ditto for bluetooth, an app can be granted access to bluetooth but that won't tell it if a "find my" tag was noticed an hour ago when the app was not running (so good reason to close inactive apps)

      Not sure about stuff like MAC or phone number. I don't see any reason an app should be allowed to access the MAC address, and if they can it should be hidden behind some sort of permission for "system information" that you would have an opportunity to think twice about granting if it was requested by a game or social media app. I don't think there would be any worry about "fingerprinting" if apps had access to the MAC - they'd just use that and it would be unique for as long as you owned the same phone!

      I'd put phone number in the same category, and it may not be available given I've NEVER seen an app that asks for personal info (for shipping info or whatever) have that field pre-populated. People rarely switch phone numbers these days, even when they switch carriers, so it would be an even better unique ID than the MAC and way better than any "fingerprint".

      1. An_Old_Dog Silver badge

        The Uber-permission (on Android); Equivalent on iOS?

        The most-interesting, most-powerful permission on Android is "Change system settings", via which an app can change any/all other settings (except itself). For security's sake, I have this permission set OFF for all apps. After every software update, I find most apps have re-enabled this setting for themselves, and I have to go through all my apps and turn it OFF, yet again.

        iOS appears to have a similar function, though I'm not finding its name via Google. I found something in Apple's "Developer Docs" which implies its existance (see: https://developer.apple.com/documentation/bundleresources/information_property_list/protected_resources and look under the "Security" heading).

        1. gnasher729 Silver badge

          Re: The Uber-permission (on Android); Equivalent on iOS?

          There’s the “Settings” application which can obviously change all settings, so that must have some special permission that others don’t have.

          In the past, I have _wanted_ to turn WiFi on for users; in the past an ios app could open the “Settings” app and go straight to WiFi settings, I think nowadays you can only open the “Settings” app.

          So if you have a situation that justifies it, you would show an alert saying “to do xyz, change abc in the settings app”, with two buttons “cancel” and “settings”.

      2. Anonymous Coward
        Anonymous Coward

        Re: Fingerprinting? How Much Time Have You Got?

        @DS999

        The point is that the user of any app (or "application" for that matter)....the user HAS NO IDEA about the rich pickings available:

        (1) The data which is actually stored on their device

        (2) The ACTUAL functionality programmed into the app (or "application")

        (3) The ACTUAL possibilities for transmission of harvested data to known (or unknown) third parties

        It's all very well for Apple or Google to pontificate about "design rules" for the app......but who knows? Certainly not the typical user of the device!!!

        Interesting to look at the history of malicious apps being thrown off the local "app store"........thousands of them!! And what about the apps still available??

        This is just more misdirection (aka "marketing") from people who want to (continue to) make money!!!

        1. DS999 Silver badge

          Re: Fingerprinting? How Much Time Have You Got?

          That's why they try to keep improving things, to make it easier for the average user who doesn't understand all this security stuff and will click "OK" at almost any request. By requiring app writers give a reason even make the request that would give them this additional power, they protect those users so they don't have to understand it.

  7. SVD_NL Silver badge
    WTF?

    Oh the irony...

    I try to prevent tracking through settings and such, but through the ads i get I can exactly see what other family members are searching for and where they are shopping online...

    The website linked in this article (which I hadn't heard of before but will definitely remember) was a bit of an eye-opener, apparently all the privacy settings I turned on actually make me easier to fingerprint because they are less common options... ironic eh?

    And having a less common language (like Dutch in my case) apparently makes you a lot easier to track as well!

    So to prevent fingerprinting, I should reset my browser to default, make sure not to update too often, and pretend I'm English instead of speaking my native language?

    Frustrating to say the least.

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh the irony...

      According to that website, my most identifying characteristics all stem from my being so tight-fisted that nobody else is still using a device this old!

      Which is fine, if it means the advertisers are also told that: "don't bother with this one, he'll not give ye a ha'pence".

      1. doublelayer Silver badge

        Re: Oh the irony...

        What attributes indicate that? For example, if it's that you're using an old browser because your device isn't compatible with an updated one, that is also compatible with someone who doesn't install updates for a very long time, and I've seen those people, so I know they are out there. Also, I don't think they're doing any analysis of what these attributes mean as much as they're storing them to better log what you're doing online. They probably don't know about the age of your device and it will neither prevent them from storing your stuff nor coming to incorrect conclusions about what you might buy and spamming you about them.

        1. Anonymous Coward
          Anonymous Coward

          Re: Oh the irony...

          Well, you're a wee ray of sunshine, aren't you?

          I said *if* it means that... - and you go and burst my shiny bubble of hope!

          Anyway, they all get sucked into the PiHole (runs fine on a v2 R'Pi - what, you thought I'd use a v4? Have ye nae bin payin' attention?)

    2. MachDiamond Silver badge

      Re: Oh the irony...

      "And having a less common language (like Dutch in my case) apparently makes you a lot easier to track as well!"

      That's the same thing as releasing health information that includes data on people that have rare conditions and also those that live in areas with a low population density. Anonymizing the data will do little to conceal identities.

    3. Anonymous Coward
      Anonymous Coward

      Re: Oh the irony...

      The whole "one in the crowd" advice was always bollocks. Data collection isn't the direct threat to privacy, data linking is. It doesn't matter how "similar" you make your user agent or any other fingerprinting information, there will always be something about your device or the way you use it that is different to everyone else and that's enough when it's combined with other information that's collected in other ways. If you look at these user agent database websites, even the most common user agent strings sit at ~10%.

    4. damiandixon

      Re: Oh the irony...

      Having the referrer as the register makes us reasonably unique at 0.02% of visitors.

      English as a language, particularly GB gives a reasonable uniqueness. Not as good as Dutch...

      Interesting that device specific reasonably static data is not being used such as IP address. Forget Mac address as mine changes more frequently than IP address.

    5. Flocke Kroes Silver badge

      Re: Oh the irony...

      Apparently about 1 in 600 AmIUnique visitors disable javascript. The proportion is probably much lower among people who do not go to AmIUnique. Lack of javascript blocks access to a long list of attributes which would provide lots of identifying data. For me it does not matter. Websites apparently see an unusual preferred language that combined with no javascript makes me unique. I do not know where that language is coming from. I checked the settings and they show en-GB.

      Lack of javascript wipes out almost all advertising and polls (I do not need to hand over psychometric test answers to find out what Hogwarts house I would be in). Back when I was a PFY, people scored their own purity test results instead of having Zuckerberg do it form them.

  8. chuckufarley Silver badge

    Well, at least the app developers...

    ...Get a loophole:

    Apple will also consider reasons not on its official list through a petition process – the developer must submit a form and convince a company representative that the intended use isn't abusive.

    1. CowHorseFrog Silver badge

      Re: Well, at least the app developers...

      How does Apple know that company actually follows thru with their promise ?

      Soon Apple will require outbound networking to flow thru Apple along with Apple's new cloud storage etc apis. Its the only way.

      1. gnasher729 Silver badge

        Re: Well, at least the app developers...

        There’s a thing called “contracts”. If they catch you actively lying they can close your developer account.

  9. CJ_C

    Data Leaking

    The behaviour whereby when I do a search, my wife gets relevant ads, is surely illegal; a data protection breach? However it has recently become routine again, despite the precautions I take.

  10. Norman Stephens

    How do you know if they really deliver on their promises?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like