Two iOS developers and cybersecurity researchers collectively working as ‘Mysk’ have reported that since iOS 14.6, Apple has been sending itself detailed usage data from the Apple App Store regardless of whether the user has data usage and personalised ads disabled or not.
According to the developers, the data is sent to Apple as the user continues to browse the app store. This can contain IDs to help trace the behaviour back to a specific user and while the developers haven’t exactly identified what data Apple collects, apparently it’s too much “even if the user has consented to share analytics data with Apple” as stated by the developers in a tweet featuring a video of the app store sending back some 152KB after browsing the store for nearly 10 minutes.
Tracking invasive data on users browsing its App Store aside, Apple had introduced strict measures against fingerprinting users in iOS 14.5, so having the App Store itself track users after 14.6 puts seems a rather odd choice. The data doesn’t seem to be related to an iOS update as well, instead seeming like more of a server-side choice.
Additionally, all this data is sent through one HTTP POST request, meaning interceptions and man-in-the-middle attacks on such data can reveal a lot of information from each individual request captured.
The news comes a few weeks after Apple made a few changes to App Store ads that led to developer complaints stating that even educational apps had gambling apps shown as related. Apple has pulled these new ads since and hasn’t announced what’s next.
It’s unclear at the moment if Apple is still collecting this data in iOS 16, especially when analytics and personalised sharing recommendations might be disabled. Keep in mind that Apple has already been in hot water over its App Tracking Transparency feature, which did almost nothing to prevent users from being tracked regardless of whether they allowed apps to track them or not.
ATT’s launch was supposed to make Apple stand out as someone looking out for the privacy of their customers but the company’s utter disregard for customer privacy, borderline false marketing and delays in fixing critical zero-day vulnerabilities have raised a lot of questions over the security and privacy issues in Apple software.