To make it worse, Apple's naming undermines consciousness about this issue, since they have an option to block cross-app/site tracking (which IIRC blocks access to the advertising identifier), but called it "Allow Apps to Request to Track". A lot of people seem to hold the belief that disabling this option blocks all in-app trackers. It just blocks one way to correlate, but as this app shows, there are other ways to correlate (as well as correlating server-side using IP addresses, etc.).
On this topic, I somehow missed that Apple added a generic URL filtering API to macOS/iOS 26, which extends Safari filtering to the whole OS (well, as long as apps are using Apple's APIs). It's not perfect, but a nice addition to DNS-based blocking:
https://adguard.com/en/blog/apple-url-filter-system-wide-fil...
The author of Wipr added support to Wipr 2 as an extra in-app purchase:
https://kaylees.site/wipr2-whats-new.html#filtr
Aside from technical methods to address this, all this in-app tracking must be a violation of the GDPR, no? I can't imagine this all falls under legitimate interest.
Probably, but we're gonna have to wait for the courts to weigh in for a definitive answer.
Same with the very popular pay-or-accept-tracking model. An Austrian court found it illegal, but we'll probably have to wait for a case to make it all the way to the ECJ.
They give that one completely up to businesses, then, to devs. They also thought they should let an app maker prohibit screen recording, which might promote development since it protects revenue of e.g. subtitling apps as one example. But end result is you even end up with a black screen when recording the iPhone Mirroring app from a Mac.
Apple owes us a better balance here. iCloud Private Relay for all apps (why only Safari?! and Mail and HTTP) as a start, and plugging some of the privacy holes Loupe exposes. They don’t want us abusing free trials I suppose.