Numerous iOS apps ignore tracking ban

iOS 15
Apple’s tracking protection creates a false sense of security for users. (IMAGO / NurPhoto)

In recent iOS versions, iPhone and iPad users can decide for themselves whether apps are allowed to record their activities beyond the app or not. However, many popular programmes apparently do not comply with the guidelines.

This is the result of research by the Washington Post in cooperation with the data protection company Lockdown Privacy, which documents the tracking behaviour of ten frequently downloaded apps. The result: tracking has hardly changed despite the introduction of Apple’s anti-tracking service ATT (App Tracking Transparency). Whether or not users allow the apps to collect data across the board hardly plays a role. In the study, for example, the programmes continued to collect IP addresses and device information with which they can clearly identify users. Among the apps criticised were popular programmes such as the game Subway Surfers and the review service Yelp.

Tracking beyond apps and websites

At the end of April, Apple introduced its app tracking transparency with iOS 14.5 (in German). Since then, apps must initially ask users for permission if they want to collect their data or activities for advertising purposes – usually this happens when the app is launched on the device for the first time.

However, when tested, programmes such as Subway Surfers largely ignored a ban set by users. For example, on iPhones with iOS 14.8 and iOS 15, the game sent 29 specific pieces of information to identify the device to an advertising company called Chartboost without permission. Among them were properties such as the size of free storage space, the volume setting and the battery charge level.

Individually, the data is not very meaningful; however, in combination with each other, they provide an overall picture with the help of which advertisers can clearly identify and track individual devices or users across different apps and websites. Users have no way to stop this “fingerprinting” behaviour. Of the apps examined, apart from Subway Surfers, the games Streamer Life! and Run Rich 3D also sent such data to advertising networks.

The Advertising ID aka “IDFA” (Identifier for Advertisers) actually serves as a unique identifier for advertisers on iPhone and iPads. Each device is assigned a unique IDFA code, which allows users to be tracked across apps. However, if the user refuses tracking, the app provider has no access to the IDFA. Thus, companies looked for alternatives to tracking, such as fingerprinting.

Settings had little influence

In its investigation, Lockdown Privacy criticised the fact that almost all apps sent uncontrolled data to companies that specialise in data accumulation (so-called third-party trackers). Whether the users had allowed tracking or not had no influence on the number of data transfers. The intervals of data transfers alone had decreased by 13 per cent.

The Yelp review service app, for example, contacted 42 such advertisers with permission. Without tracking permission, the number was reduced to only 39. In both scenarios, this included industry giants such as Facebook, Comscore and Branch. The US app version of the café operator Starbucks did not even ask for permission and always sent data to 21 tracking services – including Google Analytics and Branch.

“When it comes to stopping third-party trackers, ATT is a dud. Even worse, the ability to tap the ‘Ask App Not To Track’ button can give users a false sense of privacy,” Johnny Lin, co-founder of Lockdown and former Apple iCloud engineer, commented to the Washington Post.

No insight

Apple’s terms and conditions prohibit the violation of user decisions. The Washington Post therefore informed Apple about the apps’ disregarding behaviour. The company promised to look into the matter and investigate with the app publishers, but even after several weeks, nothing had changed.

The newspaper also contacted the app developers and advertising companies involved. The publishers of Subway Surfers replied tersely: “In order for the game to function properly, some data is passed on to advertising networks”. The rest of the companies either did not reply at all or gave similarly incomplete statements.

According to the authors, the problem lies in Apple’s definition of tracking: Apple only includes data collected by different companies and linked for advertising purposes or for sale to data brokers. Collecting and passing on data for analysis or fraud prevention, on the other hand, is not prohibited. It is sufficient to publicly state that the information is collected for such purposes.

The corresponding settings for ATT can be found on iOS devices under “Privacy → Tracking”. However, as the test results show, this protection should definitely not be relied on. (hcz)