Some vulnerabilities have been found that could allow app developers to continue tracking users in Apple’s App Tracking Transparency (ATT) framework, which supposedly improves user privacy by limiting data collection. An independent study pointed to significant gaps in the framework, which Apple revealed late last year. The study also shows how the Apple App Store privacy feed labels, which the Cupertino company introduced last year, may not be accurate for all apps and can be misleading in some cases.
The group of researchers, which included an independent researcher and four computer experts from the University of Oxford, analyzed more than 1,700 iOS apps to determine the scope and effectiveness of the App Tracking Transparency Framework. After its initial announcement, this privacy feature was delayed due to implementation issues, but it was finally rolled out to Apple users in December. The researchers note that while Apple’s decision to force app developers to make tracking an optional feature makes it more likely that individual users will choose to opt out, it is still possible for large companies to track people without their knowledge.
“Making apps privacy properties transparent through large-scale analytics remains a challenging goal for independent researchers and a major obstacle to meaningful, responsible and verifiable privacy protection,” the researchers said in the 13-page paper.
The researchers found that the ATT framework makes it more difficult than before for app developers to track users, because they are limited by the Limited Identifier of Advertisers (IDFA). This is one of the reasons why companies, including Facebook, have protested Apple’s decision ahead of the public release of the framework, citing disruptions in their advertising models.
The study now indicates that tracking users, even on a surprisingly accurate level, is still possible to some extent. Researchers have even found references to Apple itself that appears to engage in “some form of tracking” and “invasive data practices” despite marketing privacy as a key feature of its products and services.
To understand the vulnerabilities in the framework, the researchers analyzed two versions of a total of 1,759 iOS apps from the UK App Store: one version prior to iOS 14, and the other updated to comply with the updated Transparency Framework.
The researchers noted that “many applications still collect device information that can be used to track users at the group level (group tracking) or potentially identify individuals (fingerprints).
The researchers also found “real-world evidence of computing applications accepting a fingerprint-derived identifier through the use of server-side code” that appears to violate Apple’s privacy and data use policies.
Out of a total of 1,759 apps, researchers said 74 failed during the installation and hardware process. Therefore, the analysis was shortened to the remaining 1,685 applications. The researchers note that nine of these apps were able to generate a common user ID that can be used for cross-app tracking using server-side code. These apps used an identifier generated by Alibaba’s Umeng.
Some libraries, including those from Apple and Google, are also among the most used tracking tools. Up to 80 percent of all apps included at least one tracking library despite restrictions imposed by the App Store.
The research found that the new system also allowed Apple to track its users more accurately, with greater involvement of advertising technologies.
ddition to loopholes in the Arms Trade Treaty, the researchers said food privacy labels, which have been in place since the end of 2020, are not accurate in all cases and could be misleading for some applications. Labels appear in App Store listings to help users understand what types of data can be collected and used for tracking.
“We’ve seen many apps that provide incomplete information or falsely state that they have not collected any data,” the researchers said.