Apple recently implemented new requirements for iOS developers regarding the justification of using specific APIs that could potentially enable device fingerprinting. However, there are claims that Apple isn’t effectively enforcing these rules for major tech players like Google, Meta, and Spotify.
Device fingerprinting involves gathering data about various device settings and components to create a unique identifier, which can then be used for targeted advertising and other purposes. While some forms of fingerprinting have legitimate uses, such as bot detection, others raise privacy concerns by tracking users online.
Apple’s policy prohibits device-level fingerprinting on iOS, except when explicit user permission is granted. The company now requires app developers to provide reasons for using designated APIs that could be used for fingerprinting. Moreover, data collected through these APIs must remain on the user’s device to prioritize privacy.
Examples of these fingerprint-friendly APIs include File timestamp APIs, System boot time APIs, Disk space APIs, Active keyboard APIs, and User defaults APIs. Starting from May 1, 2024, apps that fail to provide reasons for using these APIs in their privacy manifest file won’t be accepted in the iOS App Store.
However, developers Talal Haj Bakry and Tommy Mysk claim that major app makers like Google, Meta, and Spotify are not adhering to Apple’s requirements. They allege that these companies are providing reasons for using these APIs but are not keeping the collected data on the device as required by Apple’s policy.
The Register reached out to Google, Meta, and Spotify for comment but received no response from the latter two. A Google spokesperson confirmed that the company is investigating the report but did not provide further details.
While it’s unclear whether these apps are using the collected information for fingerprinting, Apple has identified specific APIs that could potentially be misused for this purpose. Developers must declare the reasons for accessing such APIs, but there appears to be little enforcement from Apple.
Tommy Mysk argues that Apple’s “required reason APIs” may not effectively enhance user privacy if there is no oversight to ensure compliance. Without proper enforcement, these requirements could be seen as mere privacy theater rather than effective measures to prevent fingerprinting.