Damn. The "iPhone last setup or erased on ..." is really nasty. What can a user really do about that? I feel like this should be fudged somehow by the OS.
Damn. The "iPhone last setup or erased on ..." is really nasty. What can a user really do about that? I feel like this should be fudged somehow by the OS.
Seems like in general the iPhone was not designed to avoid fingerprinting from installed apps. Only protection would be avoid installing apps and use the web browser when possible.
This. This is why everyone who wants to fingerprint and collect tons of data on end users pushes them hard on installing an app. The amount of valuable data is 10x what’s available in the browser
And it is not just the fingerprinting, it is also that a good number of people will install an ad/tracker blocker in their browser, but almost nobody knows or cares about the multiple trackers that most apps have.
To make it worse, Apple's naming undermines consciousness about this issue, since they have an option to block cross-app/site tracking (which IIRC blocks access to the advertising identifier), but called it "Allow Apps to Request to Track". A lot of people seem to hold the belief that disabling this option blocks all in-app trackers. It just blocks one way to correlate, but as this app shows, there are other ways to correlate (as well as correlating server-side using IP addresses, etc.).
On this topic, I somehow missed that Apple added a generic URL filtering API to macOS/iOS 26, which extends Safari filtering to the whole OS (well, as long as apps are using Apple's APIs). It's not perfect, but a nice addition to DNS-based blocking:
https://adguard.com/en/blog/apple-url-filter-system-wide-fil...
The author of Wipr added support to Wipr 2 as an extra in-app purchase:
https://kaylees.site/wipr2-whats-new.html#filtr
Aside from technical methods to address this, all this in-app tracking must be a violation of the GDPR, no? I can't imagine this all falls under legitimate interest.
> all this in-app tracking must be a violation of the GDPR, no?
Probably, but we're gonna have to wait for the courts to weigh in for a definitive answer.
Same with the very popular pay-or-accept-tracking model. An Austrian court found it illegal, but we'll probably have to wait for a case to make it all the way to the ECJ.
Cut your selection of apps and find/build privacy respecting alternatives for the remainder. Im trying to do this. Music is now locally hosted, Youtube is sorta kinda coming along. I've been working on reversing some of my more basic iOS apps to extract the data/endpoints they use and write my own apps. Fable really helped with this and Opus just does not cut the mustard. I hope it comes back. :/
The intended “protection” is the ToS, which requires apps to disclose what they are tracking and whether they perform cross-premise tracking.
Ah, that’s funny. Too bad those privacy nutrition labels are only honor system.
They give that one completely up to businesses, then, to devs. They also thought they should let an app maker prohibit screen recording, which might promote development since it protects revenue of e.g. subtitling apps as one example. But end result is you even end up with a black screen when recording the iPhone Mirroring app from a Mac.
Apple owes us a better balance here. iCloud Private Relay for all apps (why only Safari?! and Mail and HTTP) as a start, and plugging some of the privacy holes Loupe exposes. They don’t want us abusing free trials I suppose.
Often it's not the app itself doing tracking or cross-premise tracking, but data is passed to installed third party SDKs that do.
These days many things don't work on browser. Even reddit is very difficult as we get constant nagging.
That’s usually a warning the service is malware that wants you to install an app for deeper tracking.
LinkedIn is the worst offender imo. I am not gonna list every shitty thing they do that goes away the moment you switch to desktop mode but the worst one is that they keep showing you the same feed for weeks if you're on mobile web.
https://browsergate.eu/
.EU? I'd be scared to publish something like that under EU jurisdiction. I could be fined for full actual damages to Microsoft's reputation and I might even be jailed for defamation.
Goddamn Yankees are subhuman, you wastes of oxygen are legitimately below cockroaches.
Brave blocks those switch to app notices by default.
old.reddit.com
For now but you know they’re coming for that ass.
It used to be widely thought they were keeping it around because the most important users who actually posted the content preferred it. But they drove all those people away in 2023 by blocking apps except for their spyware one, and everything is posted by LLMs now anyway.
Maybe I'm being really thick, but why is this information that the OS would make available to apps?
Maybe it’s derived
It's probably the app checking the last modified timestamp on some filesystem location that's only touched during setup.
Edit: It's not a last modified timestamp, it's a volume creation timestamp: https://github.com/mysk-research/loupe/blob/2262efd4456ecba8...
Again, why is this something that an app would need access? The next test under the creation timestamp value is a test for getting the UUID of the volume. Again, why is an app allowed to access the unique identifier? Apple knows this type of thing is precisely what deanonymizing people would drool over, so why is this accessible. What part of iOS would even need to know this for a legitimate purpose? Are these calls using private methods that Apple does not intend for use being abused for purpose? I'm not an iOS dev, so I have no familiarity with this.
To stop people from using apps they haven't paid for. As an honest person, if you want to use an app, you'd pay for it. Unfortunately, not everyone out there is honest, and there are various ways to get around having to pay for an app that costs money. Fingerprinting the device lets sellers of software find people who didn't pay for the software but are somehow using it.
Is the threat model tracking across multiple apps to correlate what you're doing? In that case, a single app wouldn't show you the fudging.
```Based on a binomial/Poisson distribution and a baseline of 21 million U.S. device sales per release, a fingerprint relying on "seconds since setup" fails to uniquely identify individuals. In the high-density Early Adopter phase, you will share your exact setup second with an average of 1.01 other people (a total matching pool of ~2 people). Six months into the cycle, you will still share that second with an average of 0.68 other people.```
In the U.S., device setup time (to the second) very conservatively gets you clubbed into a single group of 100 individuals as an "advanced persistent threat" tracker. Even compressing activations to "80/20 during business hours" the math kindof maxes out at a pool of ~5 people, and assuming worst case "20x" of that still means you're still pretty darned identifiable.
If you get ~6-8 more bits of entropy (eg: Device Type + Capacity is easily 2-3 bits, and Time Zone is probably another 2-3 bits) you're cooked!
Reminds me of a meeting I was party to with the Safari team. We worked with them on some standards stuff at an old job. They claimed to have creepy-level tracking of users back then. We were discussing how to identify users for an A/B test across millions of sites and comparing what fingerprints we could both derive to most likely end up on the same user.
If you use a closed source browser. That’s the kinda shit they do.
Are you claiming the Safari team is fingerprinting their users?
Just using IP address, device storage, device name, and similar signals, we can identify a user. It isn’t difficult to correlate these data points. Apps like Facebook also force developers to use their SDKs for even small features.
Yeah, but IP address is "obviously" correlated with a distinct/persistent tranche of users. It's surprising that volume c_time is both more persistent as well as more unique than IP.