upvote

points

by regecks18 hours ago |
comments
upvoteby Gigachad17 hours ago|
next
[-]
Seems like in general the iPhone was not designed to avoid fingerprinting from installed apps. Only protection would be avoid installing apps and use the web browser when possible.
reply
upvoteby camkego14 hours ago|
parent|
next
[-]
This. This is why everyone who wants to fingerprint and collect tons of data on end users pushes them hard on installing an app. The amount of valuable data is 10x what’s available in the browser
reply
upvoteby microtonal12 hours ago|
parent|
[-]
And it is not just the fingerprinting, it is also that a good number of people will install an ad/tracker blocker in their browser, but almost nobody knows or cares about the multiple trackers that most apps have.

To make it worse, Apple's naming undermines consciousness about this issue, since they have an option to block cross-app/site tracking (which IIRC blocks access to the advertising identifier), but called it "Allow Apps to Request to Track". A lot of people seem to hold the belief that disabling this option blocks all in-app trackers. It just blocks one way to correlate, but as this app shows, there are other ways to correlate (as well as correlating server-side using IP addresses, etc.).

On this topic, I somehow missed that Apple added a generic URL filtering API to macOS/iOS 26, which extends Safari filtering to the whole OS (well, as long as apps are using Apple's APIs). It's not perfect, but a nice addition to DNS-based blocking:

https://adguard.com/en/blog/apple-url-filter-system-wide-fil...

The author of Wipr added support to Wipr 2 as an extra in-app purchase:

https://kaylees.site/wipr2-whats-new.html#filtr

Aside from technical methods to address this, all this in-app tracking must be a violation of the GDPR, no? I can't imagine this all falls under legitimate interest.

reply
upvoteby 9 hours ago|
parent|
next
[-]
deleted
reply
upvoteby deanishe10 hours ago|
parent|
prev|
[-]
> all this in-app tracking must be a violation of the GDPR, no?

Probably, but we're gonna have to wait for the courts to weigh in for a definitive answer.

Same with the very popular pay-or-accept-tracking model. An Austrian court found it illegal, but we'll probably have to wait for a case to make it all the way to the ECJ.

reply
upvoteby saturn860115 hours ago|
parent|
prev|
next
[-]
Cut your selection of apps and find/build privacy respecting alternatives for the remainder. Im trying to do this. Music is now locally hosted, Youtube is sorta kinda coming along. I've been working on reversing some of my more basic iOS apps to extract the data/endpoints they use and write my own apps. Fable really helped with this and Opus just does not cut the mustard. I hope it comes back. :/
reply
upvoteby p-e-w17 hours ago|
parent|
prev|
next
[-]
The intended “protection” is the ToS, which requires apps to disclose what they are tracking and whether they perform cross-premise tracking.
reply
upvoteby Barbing16 hours ago|
parent|
next
[-]
Ah, that’s funny. Too bad those privacy nutrition labels are only honor system.

They give that one completely up to businesses, then, to devs. They also thought they should let an app maker prohibit screen recording, which might promote development since it protects revenue of e.g. subtitling apps as one example. But end result is you even end up with a black screen when recording the iPhone Mirroring app from a Mac.

Apple owes us a better balance here. iCloud Private Relay for all apps (why only Safari?! and Mail and HTTP) as a start, and plugging some of the privacy holes Loupe exposes. They don’t want us abusing free trials I suppose.

reply
upvoteby paytonjjones16 hours ago|
parent|
prev|
[-]
Often it's not the app itself doing tracking or cross-premise tracking, but data is passed to installed third party SDKs that do.
reply
upvoteby cute_boi16 hours ago|
parent|
prev|
[-]
These days many things don't work on browser. Even reddit is very difficult as we get constant nagging.
reply
upvoteby Gigachad15 hours ago|
parent|
next
[-]
That’s usually a warning the service is malware that wants you to install an app for deeper tracking.
reply
upvoteby water-drummer9 hours ago|
parent|
prev|
next
[-]
LinkedIn is the worst offender imo. I am not gonna list every shitty thing they do that goes away the moment you switch to desktop mode but the worst one is that they keep showing you the same feed for weeks if you're on mobile web.
reply
upvoteby Laurel12347 hours ago|
parent|
[-]
https://browsergate.eu/
reply
upvoteby inigyou7 hours ago|
parent|
[-]
.EU? I'd be scared to publish something like that under EU jurisdiction. I could be fined for full actual damages to Microsoft's reputation and I might even be jailed for defamation.
reply
upvoteby Cider998612 hours ago|
parent|
prev|
next
[-]
Brave blocks those switch to app notices by default.
reply
upvoteby potatoproduct15 hours ago|
parent|
prev|
[-]
old.reddit.com
reply
upvoteby brador14 hours ago|
parent|
[-]
For now but you know they’re coming for that ass.
reply
upvoteby inigyou7 hours ago|
parent|
[-]
It used to be widely thought they were keeping it around because the most important users who actually posted the content preferred it. But they drove all those people away in 2023 by blocking apps except for their spyware one, and everything is posted by LLMs now anyway.
reply
upvoteby dylan60414 hours ago|
prev|
next
[-]
Maybe I'm being really thick, but why is this information that the OS would make available to apps?
reply
upvoteby UqWBcuFx6NV4r13 hours ago|
parent|
[-]
Maybe it’s derived
reply
upvoteby LoganDark12 hours ago|
parent|
[-]
It's probably the app checking the last modified timestamp on some filesystem location that's only touched during setup.

Edit: It's not a last modified timestamp, it's a volume creation timestamp: https://github.com/mysk-research/loupe/blob/2262efd4456ecba8...

reply
upvoteby dylan6043 hours ago|
parent|
[-]
Again, why is this something that an app would need access? The next test under the creation timestamp value is a test for getting the UUID of the volume. Again, why is an app allowed to access the unique identifier? Apple knows this type of thing is precisely what deanonymizing people would drool over, so why is this accessible. What part of iOS would even need to know this for a legitimate purpose? Are these calls using private methods that Apple does not intend for use being abused for purpose? I'm not an iOS dev, so I have no familiarity with this.
reply
upvoteby matthewfcarlson18 hours ago|
prev|
[-]
Is the threat model tracking across multiple apps to correlate what you're doing? In that case, a single app wouldn't show you the fudging.
reply
upvoteby ramses018 hours ago|
parent|
[-]
```Based on a binomial/Poisson distribution and a baseline of 21 million U.S. device sales per release, a fingerprint relying on "seconds since setup" fails to uniquely identify individuals. In the high-density Early Adopter phase, you will share your exact setup second with an average of 1.01 other people (a total matching pool of ~2 people). Six months into the cycle, you will still share that second with an average of 0.68 other people.```

In the U.S., device setup time (to the second) very conservatively gets you clubbed into a single group of 100 individuals as an "advanced persistent threat" tracker. Even compressing activations to "80/20 during business hours" the math kindof maxes out at a pool of ~5 people, and assuming worst case "20x" of that still means you're still pretty darned identifiable.

If you get ~6-8 more bits of entropy (eg: Device Type + Capacity is easily 2-3 bits, and Time Zone is probably another 2-3 bits) you're cooked!

reply
upvoteby withinboredom9 hours ago|
parent|
next
[-]
Reminds me of a meeting I was party to with the Safari team. We worked with them on some standards stuff at an old job. They claimed to have creepy-level tracking of users back then. We were discussing how to identify users for an A/B test across millions of sites and comparing what fingerprints we could both derive to most likely end up on the same user.

If you use a closed source browser. That’s the kinda shit they do.

reply
upvoteby saagarjha7 hours ago|
parent|
[-]
Are you claiming the Safari team is fingerprinting their users?
reply
upvoteby cute_boi16 hours ago|
parent|
prev|
[-]
Just using IP address, device storage, device name, and similar signals, we can identify a user. It isn’t difficult to correlate these data points. Apps like Facebook also force developers to use their SDKs for even small features.
reply
upvoteby ramses07 hours ago|
parent|
[-]
Yeah, but IP address is "obviously" correlated with a distinct/persistent tranche of users. It's surprising that volume c_time is both more persistent as well as more unique than IP.
reply