Apple cracks down on apps identifying users through device fingerprinting
Apple's App Store has already been rejecting apps that collect user data to circumvent privacy measures, but soon developers will be required to justify their use of certain features.
App Store rules have been updated
With its iOS 14 introduction of App Tracking Transparency, Apple improved privacy for all users, and made life harder for advertisers. Some marketing companies switched instead to more complex ways of identifying and tracking users through the use of device fingerprinting.
In a new update to Apple's developer documentation, though, the company says it is going further. Where a developer wants to use an Apple API that could potentially contribute to fingerprinting, they will have to justify using it.
"From Fall 2023 you'll receive an email from Apple if you upload an app to App Store Connect that uses required reason API without describing the reason in its privacy manifest file," says Apple. "From Spring 2024, apps that don't describe their use of required reason API in their privacy manifest file won't be accepted by App Store Connect."
Apple uses the term "required reason API" to distinguish APIs that developers have to justify using, but it also notes that it can change the list as needed.
At present, there are around 30 required reason APIs, and they are applicable across all of Apple's platforms. They cover issues to do with accessing the keyboard, in calculating free disk space left, and how long the user's device has been running.
While there are exceptions within even these APIs, Apple's documentation repeatedly says that "Information accessed for this reason, or any derived information, may not be sent off-device."
Read on AppleInsider
Comments
The MacOS kernal is a Sandbox. Getting access to free space is going Blockchain style. I would just like to add - if a kernal is a Sandbox you are 100 percent correct, the API calls are harmless. Why is Apple not giving you access to memory is mindboggling. Through JavaScript you can do a lot, and Apple admits it for URL. I think the management at Apple are spacing out!! It's out reaching. Good on you b.
It's really a sad day when the predominant business model for app developers is: create a free app which will capture people's attention and then milk them for all the data they're worth while using it. And of course, being scammers who don't understand the meaning of the word "ethics" and feel it's their right to do whatever they please to others for profit, as soon as Apple tries to limit what data they can get, they start doing "clever" things like this (using uptime, free space, etc. to create a unique fingerprint).
For myself, I'll be happy to explain to Apple why I use certain APIs if it means less scammers and more genuinely useful apps in the world. Good riddance to a business model which is moving humanity backwards, not forwards.
Kernel - The core of the operating system which manages system resources (CPU time, memory, access to devices, etc) for things which need to use them. Applications typically don't know/care about what happens at this level, and almost never directly interact with it.
Sandbox - A contained environment in which applications run. Applications get their own reserved storage, memory, etc and can't access the resources allocated to other applications (or the operating system). This is typically done at a higher level in the tech stack than the kernel, which has no knowledge of what applications even are. The kernel only knows how to manage access to low level hardware/resources for whatever is using them on the system (could be a device driver, could be a system daemon, could be an application, doesn't matter).
So calling the kernel a sandbox is meaningless. They're two completely separate concepts.
And applications always have access to memory/storage to do whatever they need to. What Apple is doing is limiting is apps which ask "how much memory/storage is left on the entire system?". The vast majority of apps don't need to care about how much is left, only that they have access to what need. The kernel is the only thing which needs to know how to manage memory based on how much is left on the system.
And then you throw in the term JavaScript, an interpreted programming language typically contained within a web browser environment. So the web browser controls what it has access to. Which is typically far less than what a native/non-web application has access to because the web browser can only give it access to things which are common across every single platform it runs on (from tiny embedded Linux systems to Mac Pros). The lowest common denominator of all those systems.
"Apple admits it for URL" - what does that even mean? A URL is an address for a resource on the internet (web page, image, etc). Sure, it's been hijacked as a means for web apps to send data (URL parameters), which are a classic source of buffer overflow security issues, but URLs have nothing to do with how much an app can do on the system.
I agree. Hands down. But when it comes to HTML - Apple cannot control the API, especially with Firefox. That would trying to be controlling the internet on any Macintosh OS. They've done it on the iOS and people go Android. It's a slippery slope. If you pissed someone off that much that they want to hack you, you must have done something and that has nothing to do with technology. One should concentrate on the 99.9 percent not the 0.1 percent. Yes, Apple should control the API on their Operating System, but HTML...They can't even if they wanted to, they would have to start a new internet. Apple knows that all microprocessors will be the same in a few years. And their pretty privilege will also disappear. The new headset will be the game changer, they will have control.
As for HTML, everything I want to do on the web can be done with standard HTML and JavaScript. None of it requires all the hack JavaScript extensions Google adds to lure web developers into creating web apps which force everyone to switch to Chrome. Reminds me of when Microsoft tried to make its own proprietary version of Java. Obviously Google is "open" with these extensions, but the problem is all the potential for abuse and security problems. And that's why Apple moves slowly with all of these new extensions (or doesn't implement them at all). They can't control the rest of the world, but they can control their own platforms.
The web was never designed to be a general purpose software development platform, it was designed to organize and link information across computer networks. And that's what I use it for: finding and updating information. Communicating via text also fits into this, but if I want to do things like develop software, produce music, play immersive games, etc. I look for native applications because they always provide a much better experience (since they were built using tools and technologies designed for that purpose). Plus they aren't riddled with trackers and other junk which is a security risk.