iOS: Apps persist data after full deletion
For example, if I delete whatsapp or instagram, choosing to delete all data, then restart the phone and reinstall the app, it will automatically know my account.
So there is clearly a persistence mechanism that it uses.
I tried to understand which one.
- UIDevice.identifierForVendor Apple clearly states this identifier is changed as soon as all apps from the same vendor are deleted. that's what I tested, so this identifier is not the culprit
- DCDevice.generateToken This only stores 2 bits on the device, so not enough to store a username
- Keychain services (password) I checked in the password app, no password was saved for these app
- iCloud Keychain I turned off this feature
Does anyone know the technical way apps persist data even after total deletion? One of the big appeals of Apple to me is privacy, so I'd like to understand this...
6 comments
[ 3.0 ms ] story [ 24.2 ms ] threadOn iOS, certain things intentionally survive app deletion, most notably the Keychain. Credentials stored there are not removed when you delete an app, by design. I mean, it is shared with web login, and apps do have associated domains.
I'd have to check if apps can read your phone number, I think they can, that's one of the standard UUIDs for a lot of messenger apps.
And apps from the same group can have a shared set of preferences. Or could: I never needed to add that feature to any app I've worked on, so if it was ever removed (or if I misunderstood the mechanism) I never found out.
Now, back in the iOS 4 (5?) era I did manage to get the horrifying situation where a factory reset(!) device was still getting push notifications for my twitter account (with no app installed), so I won't say nonsense can't happen (and you listed Meta apps, and Meta have a reputation for pushing the limits on exactly this category of nonsense), just that what you're describing isn't a smoking gun.
I checked the "Passwords" and there was no entry for these apps (I think that's the only place for the keychain on ios?).
And it's not about the phone telling its phone number.
Many apps look for authenticated sessions across their other apps to log you in. Google does this too.