Google, Meta 'break' Apple's device fingerprinting rules

🌈 Abstract

The article discusses how major tech companies like Google, Meta, and Spotify are allegedly breaking Apple's device fingerprinting rules on iOS devices. It claims that these companies are using certain APIs that can be used for device fingerprinting without properly justifying their usage as required by Apple.

🙋 Q&A

[01] Apple's Device Fingerprinting Rules

1. What are Apple's rules regarding device fingerprinting on iOS?

• Apple mostly forbids device-level fingerprinting on iOS, and requires app developers to justify the use of certain "required reason APIs" that can be used for device fingerprinting.
• Developers must declare the reasons for using these APIs in their app's privacy manifest file, and the data collected from these APIs must stay on the user's device.

2. What are some examples of the "required reason APIs" that can be used for device fingerprinting?

• Examples include File timestamp APIs, System boot time APIs, Disk space APIs, Active keyboard APIs, and User defaults APIs.

3. What is the enforcement mechanism for these rules?

• As of May 1, 2024, apps that fail to include reasons for using these APIs in their privacy manifest file won't be accepted in the iOS App Store.
• However, the article suggests that Apple's enforcement appears to be lax, as developers can simply enter whatever they please in the manifest without Apple reviewing the accuracy.

[02] Alleged Violations by Major Tech Companies

1. What are the claims made against Google, Meta, and Spotify?

• The article claims that these companies are using the "required reason APIs" for device fingerprinting, but are not abiding by the requirement to keep the collected data on the user's device.
• Instead, they are allegedly sending the data off-device, which goes against Apple's rules.

2. What evidence is provided to support these claims?

• The article cites analysis by developers Talal Haj Bakry and Tommy Mysk, who claim to have found that apps like Google Chrome, Instagram, Spotify, and Threads are not adhering to their declared reasons for using the APIs.

3. How has Apple and the companies responded to these allegations?

• Apple did not respond to a request for comment.
• A Google spokesperson said they are looking into the report but did not have an immediate response.
• The article notes that it did not hear back from Meta and Spotify when asked about the allegations.