Apple wants privacy 'nutrition labels' on all new and updated apps in its software store from next month

How many grams of carbo-spy-drates are in your favorite applications?


Apple on Thursday advised developers they need to clarify the privacy practices of apps distributed through its App Store, a requirement previewed earlier this year.

The iPhone maker said software makers can now start creating standardized summaries, via its App Store Connect interface, that clearly define to users what kinds of personal data their code collects and handles. These details will be displayed on each app's App Store product page next month.

"This information will be required to submit new apps and app updates to the App Store starting December 8, 2020," Apple said.

When introducing the privacy requirement at Apple's virtual Worldwide Developer Conference in June, Erik Neuenschwander, Apple's user privacy manager, likened the disclosures to the nutritional labels on food.

Couple on phones photo via Shutterstock

iPhone sales shrink for 2nd year in a row as delay to next-gen mobile launch hits hard

READ MORE

"For food, you have nutrition labels; you can see if it's packed with protein or loaded with sugar, or maybe both, all before you buy it," he said. "So we thought it would be great to have something similar for apps. We're going to require each developer to self-report their practices."

Developers will have to answer a series of questions via App Store Connect that disclose the types of data that the developer and third-party partners collect, if that data gets transmitted off the device. And they must do so for iOS/iPadOS, macOS, tvOS, and watchOS apps.

This applies to analytics tools, ad networks, third-party SDKs, or other vendor code added to the app.

Apple allows data disclosure to be optional if all of the following conditions apply: if it's not used for tracking, advertising or marketing; if it's not shared with a data broker; if collection is infrequent, unrelated to the app's primary function, and optional; and if the user chooses to provide the data in conjunction with clear disclosure, the user's name or account name is prominently displayed with the submission.

Otherwise, the privacy labeling is mandatory and requires a fair amount of detail. Developers must disclose the use of contact information, health and financial data, location data, user content, browsing history, search history, identifiers, usage data, diagnostics, and more. If a software maker is collecting the user's data to display first or third-party adverts, this has to be disclosed.

These disclosures then get translated to a card-style interface displayed with app product pages in the platform-appropriate App Store.

Screenshot of Apple privacy label for an app

An example of Apple's privacy labeling for applications

Google has also been increasing its privacy requirements for Android apps distributed through Google Play, but its demands aren't as extensive.

Apple's privacy nutrition labels may help users of its software make more informed decisions when app developers integrate SDKs like Mintegral, which security firm Snyk labelled malicious back in August.

Mintegral, a China-based mobile ad platform, disputed Synk's claims and promised changes to its SDK code, but Snyk last month reported it had discovered a backdoor that allows remote code execution in apps using the SDK to display ads. The ad biz responded by insisting its code is misunderstood while removing the disputed SDK class (MTGInvocationBoxing) in v6.6.0 of its SDK "in order to avoid malicious interpretations."

Whatever's going on, Apple's disclosure regime looks like an improvement on the status quo. ®


Biting the hand that feeds IT © 1998–2020