Reported in a study: Apple's App Tracking Transparency Framework Isn't Foolproof, Allowing Developers to Still Track Users
Categories: Today news Technical News
Reported in a study: Apple's App Tracking Transparency Framework Isn't Foolproof, Allowing Developers to Still Track Users
Apple's App Tracking Transparency (ATT) framework, which was claimed to enhance user privacy by limiting data collection, has been found to have some weaknesses that could allow app developers to continue tracking users. An independent study has pointed out major loopholes in the framework, which Apple introduced late last year. The study also details how Privacy Nutrition Labels in the Apple App Store, which were introduced by the Cupertino company last year, might not be accurate for all apps and could be misleading in some cases.
The group of researchers, which included an independent researcher as well as four computer science experts from the University of Oxford, analysed over 1,700 iOS apps to determine the scope and effectiveness of the App Tracking Transparency framework. After its initial announcement, this privacy feature was delayed due to implementation concerns but eventually rolled out to Apple users in December. The researchers observed that while Apple's decision to force app developers to make tracking an opt-in feature made it more likely for individual users to choose to decline, it's still possible for large-scale companies to track people without them knowing.
"Making the privacy properties of apps transparent through large-scale analysis remains a difficult target for independent researchers, and a key obstacle to meaningful, accountable, and verifiable privacy protections," the researchers said in the 13-page paper.
The researchers found that the ATT framework does make it harder than before for app developers to track users, since they are restricted to the limited Identifier for Advertisers (IDFA). This is one of the reasons that companies including Facebook protested Apple's move before the public release of the framework, citing disruptions to their advertising models.
Now, the study suggests that tracking users, even to a surprisingly granular level, is still possible to some extent. The researchers even found references to Apple itself appearing to engage in "some forms of tracking” and “invasive data practices" despite marketing privacy as a key feature of its products and services.
To understand the loopholes of the framework, the researchers analysed two versions of a total of 1,759 iOS apps from the UK App Store: one version from before iOS 14 and the other one that has been updated to comply with the updated transparency framework.
"Many apps still collect device information that can be used to track users at a group level (cohort tracking) or identify individuals probabilistically (fingerprinting)," the researchers noted.
The researchers also found "real-world evidence of apps computing and agreeing on a fingerprinting-derived identifier through the use of server-side code" that appears to be violating Apple's policies on privacy and data use.
Of the total 1,759 apps, the researchers said that 74 of them failed during the installation and instrumentation process. Analysis therefore dropped to the remaining 1,685 apps. The researchers noticed that nine of these apps were able to generate a mutual user identifier that could be used for cross-app tracking using server-side code. Those apps used an identifier generated by Alibaba subsidiary Umeng.
Some libraries, including ones from Apple and Google, were also found to be amongst the most widely used tracking tools. As much as 80 percent of the total apps incorporated at least one tracking library despite restrictions imposed by the App Store.
The new system also enabled Apple to track its users more accurately, with a larger share of advertising technologies, the research found.
In addition to the loopholes in the ATT framework, the researchers said that Privacy Nutrition Labels, which have been in place since late 2020, are not accurate in all cases and could be misleading for some apps. The labels appear on listings in the App Store to help users understand what types of data can be collected and used to track them.