Apple’s App Tracking Transparency (ATT) framework, which was claimed to enhance user privacy by limiting data collection, has been found to have some weaknesses that could allow app developers to continue tracking users. An independent study has pointed out major loopholes in the framework, which Apple introduced late last year. The study also details how Privacy Nutrition Labels in the Apple App Store, which were introduced by the Cupertino company last year, might not be accurate for all apps and could be misleading in some cases.
The group of researchers, which included an independent researcher as well as four computer science experts from the University of Oxford, analysed over 1,700 iOS apps to determine the scope and effectiveness of the App Tracking Transparency framework. After its initial announcement, this privacy feature was delayed due to implementation concerns but eventually rolled out to Apple users last year. The researchers observed that while Apple’s decision to force app developers to make tracking an opt-in feature made it more likely for individual users to choose to decline, it’s still possible for large-scale companies to track people without them knowing.
“Making the privacy properties of apps transparent through large-scale analysis remains a difficult target for independent researchers, and a key obstacle to meaningful, accountable, and verifiable privacy protections,” the researchers said in the 13-page paper.
The researchers found that the ATT framework does make it harder than before for app developers to track users, since they are restricted to the limited Identifier for Advertisers (IDFA). This is one of the reasons that companies including Facebook protested Apple’s move before the public release of the framework, citing disruptions to their advertising models.
Now, the study suggests that tracking users, even to a surprisingly granular level, is still possible to some extent. The researchers even found references to Apple itself appearing to engage in “some forms of tracking” and “invasive data practices” despite marketing privacy as a key feature of its products and services.
To understand the loopholes of the framework, the researchers analysed two versions of a total of 1,759 iOS apps from the UK App Store: one version from before iOS 14 and the other one that has been updated to comply with the updated transparency framework.
“Many apps still collect device information that can be used to track users at a group level (cohort tracking) or identify individuals probabilistically (fingerprinting),” the researchers noted.
The researchers also found “real-world evidence of apps computing and agreeing on a fingerprinting-derived identifier through the use of server-side code” that appears to be violating Apple’s policies on privacy and data use.
Of the total 1,759 apps, the researchers said that 74 of them failed during the installation and instrumentation process. Analysis therefore dropped to the remaining 1,685 apps. The researchers noticed that nine of these apps were able to generate a mutual user identifier that could be used for cross-app tracking using server-side code. Those apps used an identifier generated by Alibaba subsidiary Umeng.
Some libraries, including ones from Apple and Google, were also found to be amongst the most widely used tracking tools. As much as 80 percent of the total apps incorporated at least one tracking library despite restrictions imposed by the App Store.
The new system also enabled Apple to track its users more accurately, with a larger share of advertising technologies, the research found.
In addition to the loopholes in the ATT framework, the researchers said that Privacy Nutrition Labels, which have been in place since late 2020, are not accurate in all cases and could be misleading for some apps. The labels appear on listings in the App Store to help users understand what types of data can be collected and used to track them.
“We observed many apps that gave incomplete information or falsely declared not to collect any data at all,” the researchers said.
It was also observed that while the developers of larger apps find it easier to comply with the new policies, less popular apps “may still pose an unexpected privacy risk” due to not declaring their tracking components. The researchers noted that these make up the vast majority of apps available on the App Store.
Gadgets 360 has reached out to Apple for a comment on the study and will update this article when the company responds.
This is not the first time that Apple’s move to restrict app tracking has been found to have shortcomings. Shortly after the launch of the framework, a report by the Financial Times highlighted that app developer Snap had continued collecting data from users. The introduction of the framework and new privacy policies also enabled Apple to grow its advertising business and negatively affected competitors including Google, Meta, Twitter, and Snap.