• Mike McCormick

Did Apple Slay Snoopy Apps?

Updated: May 5



Apple has finally released its controversial App Tracking Transparency privacy feature after months of delays, public threats from Facebook, and government investigations. Apple claims this puts privacy control back in the hands of consumers, slaying the dragon of invasive app tracking for those who don’t want it, as touted in Apple’s promotional video.


Apple’s new feature will indeed improve privacy, but a closer look shows it’s not quite the dragon slayer they brag about, especially when it comes to social platforms like Facebook. And let’s not forget that Apple enabled all this app tracking in the first place, more than a decade ago.


To understand what’s really happening, let’s peek under the hood. App tracking refers here to apps & web sites identifying your device, selling this data to brokers who aggregate it to build a profile of your interests, then market that profile to advertisers. This is made possible by a device ID Apple calls Identifier For Applications (IDFA). It uniquely identifies the device but not the person. However, since many apps and sites ask for personal info, it can be easy to tie a device to its owner.


Apple wasn’t always concerned about app tracking privacy. The predecessor to IDFA was something called Unique Device Identifier (UDID). It was so intrusive that it led to a lawsuit in 2010, so Apple replaced UDID with IDFA in 2012. Now, somewhat hypocritically, Apple has changed its tune; after more than a decade of enabling app tracking, they paint themselves as Privacy Heroes.


Prior to iOS 14.5, it was possible to limit access to the IDFA via a privacy setting called Limit Ad Tracking. However, this setting was off by default, and even if a savvy user found it and turned it on, it didn’t fully eliminate app tracking. What’s new in iOS 14.5 is that apps are forced to ask your permission in order to access your IDFA. Furthermore, there’s a new privacy setting that lets you block all apps from accessing the IDFA, in which case you won’t even see those annoying requests.


What you need to do: (1) Upgrade your Apple mobile devices to iOS 14.5.1. (2) On iPhone and iPad, go to Settings > Privacy > Tracking. (3) On Apple TV, go to Settings > General > Privacy > Tracking. (4) Disable Allow Apps to Request to Track.


Will this eliminate ads? No. Apps and sites that rely on advertising revenue will continue displaying ads on your Apple devices. But the ads will be less targeted because they know less about your habits and interests. This improves your privacy, but could actually make ads more annoying.


Will this eliminate app tracking? No. Apps can still perform so-called “device fingerprinting” to attempt to uniquely identify your device. It’s less accurate than IDFA but still intrusive. Apple could limit this behavior by tightening its App Store rules, but seems unlikely to do so, especially while facing a lawsuit from Epic Games claiming App Store rules are anti-competitive.


Will this hurt Facebook? Probably not. Despite Facebook’s complaints and full-page ads, CEO Mark Zuckerberg has admitted this change may actually benefit his platform. Advertisers who can no longer rely on data brokers for user profiles can turn to Facebook ads instead, which can be targeted based on a user’s social network profile (Likes etc.).

Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.

© 2021 Taproot Security

This site uses cookies for security.

Our cookies do not store personal information.