59 comments

[ 3.6 ms ] story [ 113 ms ] thread
I use Lockdown for iOS, and Blokada or TrackerControl on Android (they're all very similar, on-device vpn + block list).

Even with tracking disabled, apps will still contact third party ad/tracking servers. Just this morning on iOS:

- app-measurement.com

- play.googleapis.com

- googleads.g.doubleclick.net

- mobile-collector.newrelic.com

- inapps.appsflyer.com

- api.mixpanel.com

- graph.facebook.com (this is a major offender, even if you don't have Facebook apps installed, other apps love to feed FB data)

> It relies too heavily on trusting the very tracking companies that the policies are supposed to be protecting users against: Apple’s definition allows apps to secretly send any and all of your data to third parties, and as long as those third parties publicly claim they won’t link your data to other sites or sell it, it’s not considered “tracking” by Apple. It is a 100% trust-based honor system, which means that the only way for these companies to get caught “tracking” is to literally pen a public confession of guilt or wrongdoing — something that profit-driven companies are not exactly known for doing.

>...

>Not only do these trackers allow their clients to break Apple’s rules, but they specifically built features to help their clients easily circumvent Apple’s ATT privacy rules.

>First, we created a dummy app that used the Kochava tracking service. With just a few clicks, we configured Kochava to violate Apple’s “ATT Opt-Out” by asking it to tracking users across apps (using “IP address” and “User Agent”) for the purpose of ad targeting (“Paid Media”). Basically, Kochava made it really convenient for any app developer to violate even Apple’s narrow definition of tracking.

>We later performed the same test with the AppsFlyer tracking service (which, as previously mentioned, hides the data it sends off your device), and it was even easier to enable “privacy cheat mode” and track users against their consent — all it took was clicking a single button.

Wow.

There's no way for Apple to stop developers watching what users do in their app, if that app has any kind of server backend at all, and no way to stop developers taking that data and doing whatever they want with it. I mean how is Apple supposed to stop developers accessing data on the developer's own servers? So the only way to disincentivize this behaviour is with policies that ban it and the threat of expulsion from the App Store if you're caught.

I know some of these tracking APIs send data to third parties directly, but if that was banned all this traffic would just be re-routed through the app developer's back end so it would just sweep the problem under the carpet.

We can see from history with Facebook that shady dealings with data to third parties has been caught in the past, it's quite possible to get away with it but also we know that it also has a tendency to come to light.

Anyway, what's the alternative?

They could also report this behavior to the appropriate regulators and let them handle the enforcement. Maybe they'll take their time, but they will get there.

In the end this is not a technical problem but a juristical one.

> So the only way to disincentivize this behaviour is with policies that ban it and the threat of expulsion from the App Store if you're caught.

Then despite all of the anger against restrictive App Store policies and behaviors, the App Store is still insufficient to prevent intrusive user tracking.

> Anyway, what's the alternative?

OS-level protections that obfuscate on-device data in such a way that third party apps cannot collect the actual data. Or restricting developer access to that information in the first place.

What specific protection are you envisioning here? An OS that completely locks down access to user input is one that you can't write a useful application for in the first place. Once the OS has handed the program a string the user entered, or a button tap, it can't prevent the program from recording that.
Something like Apple’s user anonymizer patents

https://venturebeat.com/2012/06/20/new-patent-will-apple-clo...

Looks like they have a recent patent for obfuscating location data, too

https://patent.nweon.com/21429

Can you give me an example of a third part app that might need access to on-device data outside the app, but for which obfuscated data would be sufficient?

Let's say I have a calendar app and ask users for permission to access their address book, how would obfuscated address data be useful to the app? Of if I have a navigation app and need access to location data, how would you obfuscate that and still have it capable of navigation? I suspect you haven't thought this through.

Here, Apple has also invented something that has a use case (albeit an edge one) that is applicable: obfuscating visual data from a camera for the purposes of protecting confidential data (from guest users, presumably): "Obfuscating the display of information and removing the obfuscation using a filter"

https://www.patentlyapple.com/patently-apple/2012/01/apple-w...

https://patents.google.com/patent/US20110206285A1/en

And a follow-up: "gaze-dependent visual encryption"

https://appleinsider.com/articles/20/03/12/gaze-detection-ma...

And even more articles:

https://www.patentlyapple.com/patently-apple/2011/05/apple-w...

https://www.patentlyapple.com/patently-apple/2011/08/apple-i...

I know obfuscation is possible, that’s fine, but you’re not answering my question. How is that applicable in this case?

Can you give me an example of how obfuscation prevents an app, with access to data it needs to function, from sharing that data with the developers. Because as far as I can see it’s irrelevant to this issue.

Wait a second, TFA itself talks about how obfuscation can limit the service area of data that third party apps can phone home with.

> Trackers can’t send data that they don’t have access to, so the most direct technical fix is to limit or eliminate app access to information that is used to fingerprint devices. In iOS 15, apps are allowed unlimited access to device data that are totally irrelevant to their functionality. For example, why would any app need access to the exact second that the user last restarted their iPhone? And why does iOS give apps access to this data in such a high degree of precision? Data such as an iPhone’s remaining battery and screen brightness (both accurate to 15 decimals), or an iPad’s remaining free space (down to the byte), serve no legitimate, non-fingerprinting purpose for most apps. And for the rare app that might need this level of precision, App Review should approve the usage on a case-by-case basis.

Even without App Review, Apple could build into the API the explicit use of a permission requests system (extending beyond the current one), that itemizes all of the types of permissions a developer can ask (to complete specifics), add that to the existing section in the Info.plist, and expose that to the user when downloaded into a UX that goes into specific details about what the user is exposing. Better yet, to turn off features as granular as access to "what keyboards are on this device."

Apple could build GDPR into its system itself, while obfuscating the data it leaves out, as with some of the aforementioned links. So I see now obfuscation is only part of the puzzle, the rest is making the permissions system even more robust.

> the only way to disincentivize this behaviour is with policies that ban it and the threat of expulsion from the App Store if you're caught.

If the claim is that only App Store review is sufficient, then the App Store does not go far enough. The article states "Apple also needs to take a hard line against closed-source trackers — especially the ones that further encrypt the data they’re sending to third-party servers [...] the only way to ensure the tracker isn’t stealing any of this, is for the tracker to reveal their source code." Mandate that tracking APIs and libraries must either be open source, or make themselves open to App Store review. If not, then the App Store is just a fig leaf, a half-measure.

They already have heavily locked down permissions for various forms of on-device data outside third party apps. That was put in place years ago. This is mainly about in-app activity tracking and sharing that with third parties, not data outside the app. They are separate issues.
> I know some of these tracking APIs send data to third parties directly, but if that was banned all this traffic would just be re-routed through the app developer's back end so it would just sweep the problem under the carpet.

I quit a job over this. I don't remember exactly which service it was we were using (mixpanel maybe?) and we found out some users where blocking access to service servers (either at router level or something else). The solution? make a proxy api endpoint that would just re-route the calls to the service.

I beg and begged, saying 'look, these are users that specifically blocked 'service', lets respect that and get our data from the users that haven't' (this was before the Apple privacy changes a couple years ago). I was steamrolled because they knew better than users. I handed my notice the moment the ticket landed in the board.

That’s awesome that you quit over that. Good on you.

I care deeply about this stuff, and I’ve read a couple of contemporary public studies - both corporate and state funded - that suggest that end-users really do care about this stuff too, and that abandonment due to poor privacy policies can be on the order of 40%. Forty percent!!

So I started my last business with this in mind: a pro-privacy fintech business. We were gonna be proud of our privacy policy and implement it using technical means.

But the moment the investors came along, I got stonewalled. They didn’t care about the research. They didn’t care about the users. They just had this belief that a user friendly privacy policy would somehow hurt the business and they refused to commit to what I saw as a key advantage of the product. Our privacy policy was a nightmare. We had almost nothing to give users.

I quit too, and to this day, I have no idea what could possibly be worse than 40% abandonment in a sales oriented fintech.

I feel like investors have too much influence in business decisions they don't quite understand. I understand that it's their money at risk, so they want the greatest return in the least time, but their excessive influence has soured many great things.

Maybe something like small stockholders would work, as they are not even allowed to vote in the direction the company takes, so their only influence is selling stock (voting with their wallet). It would certainly widen the door for fraud, but it's not like fraud in uncommon with the current system, and I'm tired of seeing how this tale keeps repeating in practically any area of commerce.

I agree. Investors are conservative, but changing the world isn’t.
More than conservative, they're voracious. Some investments fail, and others don't, and they want to extract maximum value of the latter without stopping to understand why did they work. Consequently, they slowly turn the latter into the former.
Yeah I 100% agree. None of the people involved in my last business have any interest in understanding how they fucked up. They blame me, because I kept pointing out that what they were doing was not going to work. It didn’t work - and somehow that’s now my fault!
>all this traffic would just be re-routed through the app developer's back end

If it's any consolation, running a proxy at least increases the baseline cost of using 3P trackers. User telemetry and other data is small, but for popular apps that adds up and gets factored into the equation on whether or not to use 3P.

Seems like the solution would be for Apple to blanket ban any service that has this option to break the rules. Go nuclear on the analytics/tracking SDK's so that none of them even allow this to go on.
It must be effective at stopping something, right? Otherwise why is Facebook revenue suffering?
I thought Facebook was having people leave their platforms over the last year.
Facebook told investors publicly that the Apple privacy measures cost it something like $10 billion.

Though I may be remembering that wrong. It was discussed extensively on HN at the time.

Shocker: Company CEO blames outside forces for reduction in profits rather than admitting the truth...
Their CFO said this, not CEO. Are you suggesting their CFO committed securities fraud by lying to shareholders?
My mistake, but yes I am.
Facebook follows the rules because they are a big target, others not so much...
Yeah, FB has much more to lose than a margin hit if it were blocked from iOS.
It's weird that former Apple engineers don't explain how IDFA which is blocked by answering "ask app not to track" works. It is the only thing that's prevented by Apple, and the rest lies on the developer. Try to circumvent it, and risk ban (of course some apps are still trying, driven by their risk/reward calculations but bans aren't unheard of).

Another thing, the "ask app not to track" doesn't mean that data won't be collected. It means that this particular user must not be identifiable across different apps / web sites, even if personally identifiable data is being sent. Authors completely ignore this point.

It is the only thing that's prevented by Apple, and the rest lies on the developer.

It is the major visible prevention method.

App developers who track anyway live in fear of Apple finding out and executing its nuclear option: banning them from the App Store.

Smart companies don't risk $10,000,000 in app revenue in order to sell $10,000 in user data.

When your company makes Apple $3m, you cease to become someone casually banned by Apple, and rather a quasi-partner with some leverage. Epic’s ban from the App Store was deliberately engineered by that company’s leadership to force a legal challenge and to garner public attention; most companies of that size with apps on the App Store are met with more kid glove treatment by reviewers.
I'd imagine the threshold is a lot higher. Remember that Apple is in the end a hardware company and it makes sense to give up revenue/pay a fair bit for the legwork of their privacy marketing.
You're not much of a partner at 0.0008% of yearly revenue. Now if a Netflix or Spotify was caught with a hand in the forbidden cookie jar, I'd expect the solution to be more diplomatic than straightforward perma-ban. If not for directly financial reasons, because their iOS user base would feel the void of these apps missing, unlike "Casino Slots 3D - Dolphin Edition".
Fine, the numbers should be inflated a bit, but the original post was most likely referring to Netflix and Spotify anyway, as opposed to whatever mid-tier companies make $10m annual app revenue somewhere in the vast gap between FANG and Casino Slots 3D.
Sorry I was just being snarky with the trash app mentioned, I could've done without it I just had a talk [0, fun one] in the back of my head when writing. There must indeed be hundreds (dozens?) of companies which fall in a grey area that Apple wouldn't be inclined to ban straight up at first offense.

0: https://www.youtube.com/watch?v=E8Lhqri8tZk

Nah, I quite appreciated it. It amuses me quite a bit how bizarrely specialized a lot of trash software are, which mobile platforms tend to heighten. From blatantly fraudulent ads that depict bogus gameplay, to Dr. Phil shilling Solitaire Grand Harvest on his show, the plain tawdriness of the trash app game ecosystem is fascinating. And who even wants to play slots on their phone anyway?
Those Dr. Phil 4 minute sponsors for Solitaire Grand Harvest kill me just thinking of it with those "live demos". I find it absolutely hilarious, yet simultaneously depressing to think how many people watching him will fall into a trap like and proceed to burn their money on - which is assuredly an unfathomable amount given his show's size and the duration of the ads.

I also have no clue why those apps work (aside from the vague notion it triggers our lizard brains to gamble even with fake money), but I'd sure recommend you listening to the linked talk if the subject entertains you, I had found it really interesting and the speaker is a great story teller (IMO anyway).

The vast, vast majority of money made on the AppStore is made by mobile games. Everything else is just a rounding error.
Uber was famously caught trying to circumvent reviewers to hide their device fingerprinting and the result was a phone call from Tim Cook threatening them, but not outright removal. At the time I'm not sure if any profit from Uber actually flowed to Apple either.

https://www.theverge.com/2017/4/23/15399438/apple-uber-app-s...

I do think these ubiquitous "mega-apps" (whatever the word is) hold leverage on Apple as well. Telling their billion users they can't access an app like Uber because they broke some privacy rule or stood their ground on the Apple tax could be a hard sell. Although obviously not impossible like we've seen with Fortnite (not that I'd rank it alongside the Uber/Netflix/Spotify/YouTube and co of this world).
Even a threatening phone call is at least Apple treating an app developer with enough regard to actually include human interaction in the process (from the CEO, no less), as opposed to a boilerplate two sentence non-explanation for rejection. That only applies to the makers of apps with enough users to warrant a personal touch.
I doubt any company who abused data tracking on App Store would be surprised by a rejection email. The only question they will have is "what exact part of our tracking they noticed?"
So, FWIW what Uber was doing was flagging if banned iPhones had been wiped and reset. Apple actually gave Uber specific APIs to persistently flag iPhones as banned (as part of DeviceCheck).
Apple could start allowing users to disable internet access for an app.

Before that happens Apple's privacy campaign is just a lot of hot air.

Expect "Please enable internet access to use this app" popup messages in this case. A lot of apps already do this with camera/photos access.
Apple could ban that if they wanted to. Basically just require that as much functionality as possible should work without internet.
> A lot of apps already do this with camera/photos access.

And location, including demanding “precise” tracking (why does Apple even let them detect that?)

Given the need for almost all apps to have network access, I feel like this would become another website cookie popup that people just click through.

i.e. Has the right intentions but just ends up forcing a worse user experience for everyone.

I think you can prevent network access for an app over Wi-Fi on iPhones sold in China, but for some reason this feature hasn’t been made available globally. For now the only option is to disable cellular for an app and disconnect from Wi-Fi.
You can already do this if you’re using cellular internet and not Wi-Fi under Settings > Cellular and then turn the button off for a specific app.
I think the core thing here is that in a lawsuit a user can now point to an explicit action that they took, and the apps decision not ignore that decision, despite having agreed to obey that decision as part of the use of that app.

The fact that stuff like this isn't caught in the automated portion of review is fairly appalling though.

Anyone know how Lockdown is funded? The app is free and open source so how are they able to make money and operate?

Someone on HN wrote that they always look at how a company is funded before engaging with them so they know where their incentives are. I thought that's a pretty good idea and am trying to apply the same idea here.

I can find the backstory but I don't know how the company is able to operate and continue developing.

They try to upsell VPN services in addition to the free tracker-blocking. They charge $59/year for iOS and $99/year for all Apple devices (according to my app settings). Unfortunately the VPN doesn't support Android or Windows, so I can't use their paid product.
Dumb question: Why don't we just use fuzzing instead of privacy? e.g. the tracking APIs are just filled with noise data when you want to not be tracked? It seems the big issue is that companies doing the tracking know the data is there and then use it inappropriately. What about just giving them garbage data instead?
Specifically for location data, I would love to be able to toggle between actual GPS location and a specified location (e.g. Mountain View CA) that I can set manually.