The Past and Present of iOS Privacy and Convenience

The Past and Present of iOS Privacy and Convenience

Apple’s privacy principles and the adjustments to privacy protection features in iOS over the years

Theme by slidego

[2023–08–01] iOS 17 Update

Supplementary updates on iOS 17 privacy-related adjustments from the previous presentation.

Link Tracking Protection

Safari will automatically remove tracking parameters from URLs (e.g., fbclid, gclid…)

• Example: https://zhgchg.li/post/1?gclid=124 will become https://zhgchg.li/post/1 after clicking.
• Currently testing iOS 17 Developer Beta 4, fbxxx, gcxxx, etc., will be removed, but utm_ is retained; it’s uncertain if the official iOS 17 or future iOS 18 will further enhance this.
• For the strictest scenario, you can install the iOS DuckDuckGo browser for testing.
• For detailed testing, please refer to the article “iOS17 Safari’s new feature will remove fbclid and gclid from URLs”.

Privacy Manifest .xprivacy & Report

Developers need to declare the use of User Privacy, and also require any used SDK to provide its Privacy Manifest.

*Additionally, third-party SDK Signature has been added

XCode 15 can generate a Privacy Report through the Manifest for developers to set App privacy settings on the App Store.

Required reason API

To prevent the misuse of certain Foundation APIs that could potentially lead to fingerprinting, Apple has started to regulate some Foundation APIs; a declaration of usage is required in the Manifest.

Currently, the most affected API is UserDefault, which requires a declaration.

Starting in Fall 2023, if you upload a new app or app update to App Store Connect that uses an API requiring a declaration (including content from third-party SDKs), and you do not provide an approved reason in the app's privacy list, you will receive a notification. Starting in Spring 2024, to upload new apps or app updates to App Store Connect, you will need to specify the approved reason in the app's privacy list to accurately reflect how your app uses the respective API.

If the current scope of approved reasons does not cover a use case for an API requiring a declaration, and you believe this use case directly benefits your app users, please let us know.

Tracking Domain

APIs that send tracking information need to declare the domain in the privacy manifest .xprivacy and can only initiate network requests after user consent for tracking; otherwise, all network requests to this domain will be intercepted by the system.

You can check if the Tracking Domain is intercepted using the XCode Network tool:

Currently, Facebook and Google’s Tracking Domains are detected and need to be listed as Tracking Domains and require permission.

• graph.facebook.com: Facebook-related data statistics
• app-measurement.com: Google-related data statistics: GA/Firebase…

Therefore, please note that FB/Google data statistics may significantly drop after iOS 17, as data will not be received if permission is not asked or tracking is not allowed; based on past implementations of asking for tracking permission, about 70% of users will click not allow.

• Developers’ own API calls for tracking also need to follow the same regulations for Tracking Domains.
• If the Tracking Domain is the same as the API Domain, a separate Tracking Domain is required (e.g., api.zhgchg.li -> tracking.zhgchg.li).
• Currently, it is unclear how Apple will regulate developers’ own tracking; testing with XCode 15 did not detect any issues.
• It is unclear whether the official will use tools to detect behavior or if reviewers will manually check.

Fingerprinting is still prohibited.

Introduction

I am honored to participate in the MOPCON speech, but it is a pity that it has been changed to an online live broadcast due to the pandemic, and I cannot meet more new friends. The theme of this speech is “The Past and Present of iOS Privacy and Convenience,” mainly to share Apple’s principles on privacy and the functional adjustments iOS has made over the years based on these privacy principles.

The Past and Present of iOS Privacy and Convenience | Pinkoi, We Are Hiring!

In recent years, developers or iPhone users should be familiar with the following feature adjustments:

• iOS ≥ 13: All apps supporting third-party login must also implement Sign in with Apple, otherwise, they cannot be successfully listed on the App Store.
• iOS ≥ 14: Clipboard access warning.
• iOS ≥ 14.5: IDFA must be allowed before it can be accessed, which almost equates to blocking IDFA.
• iOS ≥ 15: Private Relay, using a proxy to hide the user’s original IP address.
• iOS ≥ 16: Clipboard access requires user authorization.
• … and many more, which will be shared with everyone at the end of the article.

Why?

If you are not familiar with Apple’s privacy principles, you might even wonder why Apple has been constantly opposing developers and advertisers in recent years. Many features that everyone is used to have been blocked.

After going through “ WWDC 2021 — Apple’s privacy pillars in focus “ and “ Apple privacy white paper — A Day in the Life of Your Data “, it became clear that we have unknowingly leaked a lot of personal privacy, allowing advertisers or social media to profit immensely, infiltrating our daily lives.

Referencing the Apple privacy white paper and rewriting it, let’s take the fictional character Harry as an example to illustrate how privacy is leaked and the potential harm it can cause.

First is the usage record on Harry’s iPhone.

On the left is the web browsing history: You can see visits to websites related to cars, iPhone 13, and luxury goods.

On the right are the installed apps: There are investment, travel, social, shopping, and baby monitor apps.

Harry’s offline life

Offline activities leave records in places such as invoices, credit card transaction records, dashcams, etc.

Combination

You might think, how could different websites, different apps (even without logging in), and offline activities possibly allow a service to link all the data together?

The answer is: technically, it is possible, and it “might” or “has already” happened partially.

As shown in the image above:

• When not logged in, websites can identify the same visitor across different sites through Third-Party Cookies, IP Address + device information calculated Fingerprint.
• When logged in, websites can link your data through registration information such as name, birthday, phone number, email, ID number, etc.
• Apps can identify the same user across different apps through Device UUID, URL Scheme to sniff other installed apps on the phone, and Pasteboard to transfer data between apps. Additionally, registration information can also link data after the user logs in.
• Apps and websites can also use Third-Party Cookies, Fingerprint, and Pasteboard to transfer data.
• The connection between online and offline activities can occur when banks collect credit card transaction records, accounting apps, invoice collection apps, dashcam apps, etc., all have the opportunity to link offline activities with online data.

It is technically feasible; so who are the third parties behind all the websites and apps?

Large companies like Facebook and Google earn significant revenue from personal ads; many websites and apps also integrate Facebook and Google SDKs… so it’s hard to say. Often, we don’t even know which third-party ad and data collection services websites and apps use, secretly recording our every move.

Let’s assume that all of Harry’s activities are secretly collected by the same third party, then in its eyes, Harry’s profile might look like this:

On the left is personal information, possibly from website registration data or delivery data; on the right are behavior and interest tags based on Harry’s activity records.

In its eyes, it might know Harry better than Harry knows himself; this data can be used on social media to make users more addicted; used in advertising, it can stimulate Harry to overconsume or create a birdcage effect (e.g., recommending you buy new pants, then you buy shoes to match, then socks… it never ends).

If you think the above is already scary enough, there’s something even scarier:

Having your personal information and knowing your financial status… the potential for malicious acts is unimaginable, such as kidnapping, theft…

Current Privacy Protection Methods

• Legal regulations (e.g., SGS-BS10012 personal data certification, CCPA, GDPR…)
• Privacy agreements, de-identification

Mainly through legal constraints; it’s hard to ensure services comply 100% of the time, and there are many malicious programs on the internet, making it difficult to guarantee that services won’t be hacked, causing data leaks; in short, “ if someone wants to do evil, it’s technically feasible, relying solely on regulations and corporate conscience is not enough.”

Moreover, we are often “forced” to accept privacy terms, unable to authorize individual privacy settings. Either we don’t use the service at all, or we use it but have to accept all privacy terms; privacy terms are also not transparent, so we don’t know how our data will be collected and used, and we don’t know if a third party is collecting our data without our knowledge.

Additionally, Apple has mentioned that minors’ personal privacy is often collected by services without the consent of their guardians.

Apple’s Privacy Principles

Knowing the harm caused by personal privacy leaks, let’s look at Apple’s privacy principles.

Excerpted from the Apple Privacy White Paper, Apple’s ideal is not to completely block but to balance. For example, in recent years, many people have installed AD Block to completely block ads, which is not what Apple wants to see; because if completely disconnected, it’s hard to provide better services.

Steve Jobs said at the 2010 All Things Digital Conference:

I believe people are smart, some people want to share more data than others. Ask them every time, annoy them until they tell you to stop asking, let them know exactly how you are going to use their data. — translated by Chun-Hsiu Liu

Apple believes privacy is a fundamental human right

Apple’s Four Privacy Principles:

• Data Minimization: Only take the data you need
• On-Device Processing: Based on Apple’s powerful processor chips, personal privacy-related data should be processed locally unless necessary
• User Transparency and Control: Let users know what privacy information is being collected and how it is used; also, allow users to control the sharing of individual privacy data
• Security: Ensure the security of data storage and transmission

iOS Privacy Protection Feature Adjustments Over the Years

Understanding the harm of personal privacy leaks and Apple’s privacy principles, let’s look at the technical means; we can see the adjustments iOS has made over the years to protect personal privacy.

Between Websites

As mentioned earlier

The first method can use Third-Party Cookies to link visitor data across websites:

🈲, in iOS >= 11, Safari has implemented Intelligent Tracking Prevention (WebKit)

Enabled by default, the browser actively identifies and blocks third-party cookies used for tracking and advertising; and with each iOS version, the identification program is continuously strengthened to prevent omissions.

Using Third-Party Cookies to track users across websites is basically no longer feasible on Safari.

The second method is to use IP Address + device information to calculate a Fingerprint to identify the same visitor across different websites:

🈲，iOS >= 15 Private Relay

Especially after Third-Party Cookies were banned, more and more services are adopting this method. Apple is also aware of this… Fortunately, in iOS 15, even the IP information is obfuscated for you!

The Private Relay service will first randomly send the user’s original request to Apple’s Ingress Proxy, then randomly dispatch it to the partner CDN’s Egress Proxy, and finally, the Egress Proxy will request the target website.

The entire process is encrypted and can only be decrypted by the chip in your iPhone. Only you know both the IP and the target website of the request simultaneously. Apple’s Ingress Proxy only knows your IP, the CDN’s Egress Proxy only knows Apple’s Ingress Proxy IP and the target website, and the website only knows the CDN’s Egress Proxy IP.

From an application perspective, all devices in the same region will use the same shared CDN’s Egress Proxy IP to request the target website. Therefore, the website cannot use the IP as Fingerprint information anymore.

For technical details, refer to “WWDC 2021 — Get ready for iCloud Private Relay”.

Supplementary Private Relay:

• Apple/CDN Provider does not have complete logs for tracing: I checked how Apple prevents it from being used maliciously but couldn’t find an answer. It might be similar to how Apple won’t unlock a criminal’s iPhone for the FBI; privacy is a fundamental human right for everyone.
• Enabled by default, no special connection needed
• Does not affect speed or performance
• IP will be guaranteed to be in the same country and time zone (users can choose to blur the city), cannot specify IP
• Only effective for certain traffic iCloud+ users: All traffic on Safari + Insecure HTTP Requests in Apps General users: Only effective for third-party tracking tools installed on websites in Safari
• Officially provides CDN Egress IP List for website developers to identify (do not mistakenly block Egress IPs, it will cause group harm)
• Network administrators can ban DNS to disable Private Relay for all connections
• iPhone can disable Private Relay for specific network connections
• Private Relay will be disabled when connecting to VPN/Proxy
• Currently still in Beta version (2021/10/24), enabling it may cause some services to be unreachable (China region, Chinese version of TikTok) or services to be frequently logged out

Private Relay Test Image

• Image 1 Not enabled: Original IP address
• Image 2 Enabled Private Relay — Maintain general location: IP becomes CDN IP but still in Taipei
• Image 3 Enabled Private Relay — Use country and time zone (broaden blur): IP becomes CDN IP & changes to Taichung, but still in the same time zone and country

Test Project

Apps can use URLSessionTaskMetrics to analyze Private Relay connection records.

To digress, the method of using IP addresses to obtain Fingerprints to identify users can no longer be used.

Between Apps

The first method was to directly access the Device UUID in the early days:

🈲，iOS >= 7 prohibits access to Device UUID,

Use IDentifierForAdvertisers/IDentifierForVendor instead

• IDFV: All apps under the same developer account can get the same UUID; using KeyChain is also a current method for identifying user UUID.
• IDFA: Different developers and different apps can get the same UUID, but users can reset or disable IDFA.

🈲，iOS >= 14.5 IDentifierForAdvertisers requires user consent before use

After iOS 14.5, Apple has strengthened the restrictions on accessing IDFA. Apps need to ask for user permission to track before obtaining the IDFA UUID; without asking or without permission, the value cannot be obtained.

Preliminary survey data from market research companies show that about 70% of users (some say 90% in the latest data) do not allow tracking to access IDFA, which is why people say IDFA is dead!

Test Project

The second method for inter-app communication is URL Scheme:

iOS apps can use canOpenURL to detect if a specific app is installed on the user’s phone.

🈲，iOS >= 9 requires setting in the app before use; cannot detect arbitrarily.

iOS ≥ 15 adds a restriction, allowing a maximum of 50 other app schemes.

Apps linked on or after iOS 15 are limited to a maximum of 50 entries in the LSApplicationQueriesSchemes key.

Between Website and App

As mentioned earlier

The first method is also through Cookie integration:

In the early days, iOS Safari’s cookies and App WebView’s cookies could communicate, allowing data exchange between websites and apps.

The method involves embedding a 1-pixel WebView component in the app’s background to secretly read Safari cookies.

🈲，iOS >= 11 prohibits sharing cookies between Safari and App WebView

If you need to obtain Safari cookies (e.g., using website cookies to log in directly), you can use the SFSafariViewController component; however, this component forces a prompt window and cannot be customized, ensuring that users are not unknowingly tracked.

The second method is using IP Address + device information to calculate a fingerprint to identify the same user across different websites:

As mentioned earlier, iOS ≥ 15 has been obfuscated by Private Relay.

The last and only remaining method — Pasteboard:

Using the clipboard to transfer cross-platform information, as Apple cannot disable clipboard usage across apps, but it can prompt the user.

⚠️ iOS >= 14 adds clipboard access warnings

⚠️ 2022/07/22 Update: iOS 16 Upcoming Changes

Starting from iOS ≥ 16, if the user does not actively perform a paste action, the app’s attempt to read the clipboard will trigger a prompt window, and the user needs to allow it for the app to read the clipboard information.

UIPasteBoard’s privacy change in iOS 16

Implementing Deferred Deep Link with Pasteboard

_Here, I want to mention the privacy panic regarding the clipboard in iOS 14. For more details, you can refer to my previous article “iOS 14 Clipboard Privacy Panic: The Dilemma Between Privacy and Convenience”. _

Although we cannot rule out the possibility of reading the clipboard for data theft, more often, our app needs to provide a better user experience:

Before implementing Deferred Deep Link, when we guide users to install the app from the website, opening the app after installation will only open the homepage by default. A better user experience should be opening the app to the corresponding page where the user left off on the website.

To achieve this functionality, there needs to be a way to transfer data between the website and the app. As mentioned in the article, other methods have been banned, and currently, only the clipboard can be used as a medium for storing information (as shown above).

Including Firebase Dynamic Links and the latest version of Branch.io (previously Branch.io used IP Address Fingerprint to achieve this) also use the clipboard for Deferred Deep Link.

For implementation, you can refer to my previous article: iOS Deferred Deep Link Implementation (Swift)

In general, if it is for Deferred Deep Link, the clipboard information will only be read the first time the app is opened or when returning to the app. It will not be read during use or at odd times, which is worth noting.

A better approach is to use UIPasteboard.general.detectPatterns to detect if the clipboard data is what we need before reading it.

Test Project

After iOS ≥ 15, the clipboard prompt has been optimized. If it is the user’s own paste action, the prompt will no longer appear!

Advertising Effectiveness Solutions

As mentioned earlier, Apple’s privacy principle hopes for a balance rather than completely blocking users from services.

Advertising Effectiveness Statistics Between Websites:

In Safari, the feature that blocks Intelligent Tracking Prevention is Private Click Measurement (WebKit) used to measure advertising effectiveness without compromising personal privacy.

The specific process is as shown above. When a user clicks an ad on site A and goes to site B, a Source ID (to identify the same user) and Destination information (target site) will be recorded in the browser. When the user completes a conversion on site B, a Trigger ID (representing what action) will also be recorded in the browser.

These two pieces of information will be combined and sent to sites A and B after a random 24 to 48 hours to get the advertising effectiveness.

Everything is handled on-device by Safari, and protection against malicious clicks is also provided by Safari.

Advertising Effectiveness Statistics Between Apps and Websites or Apps:

You can use SKAdNetwork (requires application to join Apple) similar to Private Click Measurement, which will not be elaborated here.

It is worth mentioning that Apple is not working behind closed doors; SKAdNetwork is currently at version 2.0. Apple continues to collect feedback from developers and advertisers to balance personal privacy control and continuously optimize SDK functionality.

Here, I sincerely wish that Deferred Deep Link can be integrated with the SDK, as we aim to enhance user experience without intending to invade personal privacy.

For technical details, refer to “WWDC 2021 — Meet privacy-preserving ad attribution”.

Cross-Platform

All apps supporting third-party login on iOS ≥ 13 must implement Sign in with Apple, otherwise, they cannot be successfully listed on the App Store.

• Name can be edited
• Real email can be hidden (replaced with a virtual email generated by Apple)
• Users can request account deletion Apps must implement this by 2022/01/31 🆕

iOS ≥ 15 iCloud+ users support Hide My Email

• Supports all email fields in Safari and apps
• Users can generate virtual emails in settings

Similar to Sign in with Apple, virtual emails generated by Apple replace real emails. After receiving an email, Apple will forward it to your real email, thus protecting your email information.

Similar to a 10-minute email but more powerful; as long as you don’t disable it, the virtual email address is yours permanently; there is no limit to the number of new addresses you can create, and it’s unclear how Apple prevents abuse.

Settings -> Apple ID -> Hide My Email

Others

App privacy details on the App Store:

Apps must explain on the App Store what user data will be tracked and how it will be used .

For detailed information, refer to: “App privacy details on the App Store”.

Fine control of personal privacy data:

Starting from iOS ≥ 14, location and photo access can be more finely controlled. You can authorize access to only certain photos or allow location access only while using the app.

Test Project

Starting from iOS ≥ 15, the CLLocationButton button is added to enhance user experience. It allows obtaining the current location through user clicks without asking for permission or consent. This button cannot be customized and can only be triggered by user actions.

Personal Privacy Usage Prompt:

iOS ≥ 15, added personal privacy usage prompts, such as: clipboard, location, camera, microphone

App Privacy Usage Report:

iOS ≥ 15, can export a report of all apps’ privacy-related usage and network activity for the past 7 days.

1. Since the report file is a .ndjson plain text file, it is not easy to view directly; you can first download the “ Privacy Insights “ app from the App Store to view the report.
2. Go to Settings -> Privacy -> Scroll to the bottom “Record App Activity” -> Enable Record App Activity.
3. Save App Activity.
4. Choose “Import to Privacy Insights “.
5. After importing, you can view the privacy report.

As mentioned in the news, WeChat indeed secretly reads photo information in the background when the app is launched.

Additionally, I also caught a few other Chinese apps doing sneaky things, so I directly disabled all their permissions in settings.

If it weren’t for this feature exposing them, who knows how long our data would have been stolen!

Recap

Apple’s privacy principles

After understanding the adjustments to privacy features over the years, let’s revisit Apple’s privacy principles:

• Data Minimization: Apple uses technical means to limit the data accessed.
• On-Device Processing: Privacy data is not uploaded to the cloud; everything is processed locally. For example, Safari Private Click Measurement, Apple’s machine learning SDK CoreML, Siri/Live Text features in iOS ≥ 15, Apple Maps, News, photo recognition features, etc.
• User Transparency and Control: Various new privacy access prompts, activity reports, and fine-grained privacy control features.
• Security: The security of data storage and transmission, avoiding misuse of UserDefault, iOS 15 can directly use CryptoKit for end-to-end encryption, and the transmission security of Private Relay.

Fragmented Data

Returning to the initial technical means of piecing together Harry’s correlation diagram, the connections between websites or apps are blocked, leaving only the clipboard, which will prompt.

For service registration and third-party login information, you can use Sign in with Apple and hide my email features to prevent leaks; or use more native iOS apps.

Offline activities might be protected by using Apple Card to prevent privacy leaks?

No one has the chance to piece together Harry’s activity profile anymore.

Apple is Human-Centric

Therefore, “human-centric” is the term I would use to describe Apple’s philosophy. Going against the commercial market requires a strong belief. Related to this, “technology-centric” is the term I would use for Google, as Google always creates many geeky tech projects. Lastly, “business-centric” is the term I would use for Facebook, as FB pursues commercial gains on many levels.

In addition to adjustments for privacy features, iOS has continuously enhanced features to prevent phone addiction over the past few years, introducing “Screen Time Report,” “App Usage Limits,” “Focus Mode,” and more; helping everyone break free from phone addiction.

Finally, I hope everyone can

• Value personal privacy
• Not be controlled by capital
• Reduce virtual addiction
• Prevent societal decline

Live a brilliant life in the real world!

Private Relay/IDFA/Pasteboard/Location Test Project:

References

• WWDC 2021 — Apple’s privacy pillars in focus
• Apple privacy white paper — A Day in the Life of Your Data
• WWDC 2021 — Get ready for iCloud Private Relay
• WWDC 2021 — Meet privacy-preserving ad attribution
• iOS 14 Clipboard Data Panic: The Dilemma of Privacy and Convenience
• iOS Deferred Deep Link Implementation (Swift)
• All About iOS UUID (Swift/iOS ≥ 6)

If you have any questions or feedback, feel free to contact me.

===

本文中文版本

===

This article was first published in Traditional Chinese on Medium ➡️ View Here