Apple begins rejecting apps that use advertising SDKs for fingerprinting users

Apple has begun warning iOS developers that it will reject apps containing advertising SDKs that use data from the device to create unique identifiers, or fingerprints, in preparation for the upcoming release of iOS 14.5.

Fingerprinting code of this sort is used by marketers for ad-related tracking, a practice Apple aims to curtail in its next iOS update.

iOS 14.5 is expected to implement Apple's App Tracking Transparency (ATT) framework, which has been delayed for months due to the objections of large advertisers like Facebook. ATT brings with it an App Store rule change that requires developers to implement an app-tracking authorization request to ask users to opt-in to being tracked and having their data collected. Facebook and Google have both warned that giving people this privacy choice will mean less ad revenue for publishers, not to mention their share of it.

Apple's developer guidelines were expanded in late January explicitly to disallow fingerprinting in apps that "reference SDKs (including but not limited to Ad Networks, Attribution services and Analytics)." The fingerprinting ban and other pending privacy rule changes were discussed back at the company's June 2020 developer conference. Enforcement of those rules has now expanded to cover device-derived fingerprinting.

On Friday, Paul Müller, CEO of mobile analytics biz Adjust, said Apple had started enforcing its ATT restrictions. "Our SDK was one that was flagged because it had code that Apple indicated as being in violation of their guidelines," he said in a blog post. "This code was in the SDK to collect information for our fraud prevention suite."

Müller said a compliant version of the Adjust SDK, v4.28, has been released and advised customers to ensure they've revised their apps to incorporate the updated code. He further suggests that Apple's ban of the Adjust SDK arose from iOS app reviewers who identified object references or symbols (e.g. NSFileManager) that Adjust added to its SDK to combat spoofing but weren't exposed for customer usage.

"Apple saw these symbols and flagged them because they were similar to symbols being used in other SDKs that together could be used to create a persistent ID, even if a user didn’t consent," he explained, insisting that while other ad tech firms may have been misusing the symbols, Adjust never used them for crafting an identifier.

In any event, the objectionable object references have been removed from the Adjust SDK, he said.

Other companies flirt more openly with defiance, though they stop short of rebellion, which would accomplish little given Apple's near-absolute control over its iOS ecosystem.

According to the Financial Times, Snap has explored options for bypassing Apple's privacy rules for its Snapchat messaging app. Snap, it's claimed, sought to use data from third-party companies to identify people who responded to ad campaigns in the hope its developers could cross-reference data like IP addresses with its own information to track app users via a fingerprinting technique called "probabilistic matching."

However, when asked about this by the Financial Times, Snap insisted it supports Apple's guidelines and believes advertising should respect consumer privacy. We reached out to Snap for comment but we've not heard back.

The Chinese Advertising Association, meanwhile, has developed an identifier called the China Anonymization ID, or CAID, that it hopes will provide the tracking capability lost through iOS 14.5's privacy protections. Apple reportedly has warned developers in China not to flout its rules.

Apple did not respond to a request for comment.

Apple's smartphone rival Google is also taking steps to improve privacy in its Android ecosystem. The ad biz recently issued a Google Play policy update that restricts availability of an API in Android 11 (API level 30) called QUERY_ALL_PACKAGES. The API returns a list of apps installed on the queried device, which Google now considers to be a high-risk permission.

"Play regards the device inventory of installed apps queried from a user’s device as personal and sensitive information, and use of the permission is only permitted when your app's core user facing functionality or purpose, requires broad visibility into installed apps on the user’s device," Google's support document explains.

To use this permission, apps must provide either device search, antivirus, file management, or browsing functions and must sufficiently justify and disclose the use of the API. ®