Following revelations from two iOS developers and cybersecurity researchers that Apple has been tracking users on the App Store since iOS 14.6, further investigation by the same researchers reveals that the trend continues on iOS 16.1.1, despite Apple’s promises of analytics anonymity.
The analytics data sent back to Apple from the App Store contain an ID called DSID or Directory Services Identifier. This ID can uniquely identify an iCloud account, meaning your analytics data can be directly linked to you as the DSID is associated with your name, email and any other data in your iCloud account.
To reiterate, this happens regardless of whether or not you’ve disabled sharing analytics data with Apple.
Simply put, in the words of the researchers, you need to know three things.
- The App Store sends details analytics about the user to Apple.
- There’s no way to prevent this information from being sent out.
- The analytics data can be directly traced back to the user.
Making matters worse, Mysk points to a line from Apple’s Device Analytics and Privacy statement that clearly states, “None of the collected information identifies you personally”. This is a direct contradiction to the researchers’ findings.
Apple has a separate set of rules about how it tracks you in the App Store, Apple News and Stocks (where ads are also shown). Apple fully admits that it’s tracking you, stating, “These records are stored with IP address, a random unique identifier, and Apple ID when you are signed in to the App Store or other Apple online stores.”
While reading just the first paragraph will give you a good idea of what’s going on, we recommend checking out the entire document. You can find it by following these steps on any iPhone:
- Open the Settings app and tap Privacy & Security.
- Scroll down and tap on Analytics & Improvements.
- Tap About Analytics & Privacy in the first paragraph.
Mysk demonstrates this process on iOS 16 in a video uploaded on their YouTube channel. The video clearly shows data being sent back to Apple on nearly every interaction as the user browses the App Store looking for apps.
Since the iPhone used in the video wasn’t jailbroken, the contents of the requests themselves are encrypted. So while it might save you from a random person intercepting your App Store traffic, it doesn’t save you from the company itself.
When experimented with a jailbroken iPhone running iOS 14.6 in an earlier video, the contents of the requests can be decrypted and contain information, including the names of the apps viewed as well as the timestamp and duration of time the user spent looking at the app.
The problem extends beyond the App Store, covering just about every Apple app stock. For example, the Stocks app reports what stocks you’re looking at, alongside any news your article read by the user. Gizmodo reports that a class action lawsuit has been filed against the company in California, accusing the company of violating the California Invasion of Privacy Act.