November 15, 2021
Business Consumer Tech Cybersecurity Innovation No Paywall Technology

iOS 14.5: The Surprising Problem With Apple’s Big Privacy Update

After months of build-up, everyone was expecting Apple’s iOS 14.5’s much-hyped privacy feature to arrive with a bang. Quite rightly, privacy advocates believed iOS 14.5’s App Tracking Transparency (ATT) would shake up internet advertising for the better. 

But so far, Apple’s new iPhone privacy feature has not worked as it was billed. Among the issues, many Apple users are complaining about a lack of “Ask to Track” prompts since upgrading to iOS 14.5. Some people haven’t seen any at all, while others have seen heavily customised prompts—not the uniform iOS prompts seen in Apple’s marketing—many of which do not ask specifically to track iPhone users. 

“The reality is that App Tracking Transparency in iOS 14.5 is a mess,” says Johnny Lin, a former Apple engineer and co-founder of tracker-blocking app Lockdown Privacy. “It’s possible it could sort itself out in the long run, but right now, it’s inconsistent, with low compliance rates, confusing since it doesn’t work the same way as other permissions, and easy to get around.”

It’s certainly disappointing for many iPhone users, who had expected transparency about which apps were tracking them once upgrading to iOS 14.5. Others just wanted to try out the new privacy feature when it launched. So, what’s happening?

Reason 1: Check Your Settings in iOS 14.5

Some people won’t be receiving any Ask to Track notices because they have already disallowed collection of the identifier for advertisers (IDFA) in their settings. This will have carried over to iOS 14.5.

The setting can be found in Settings > Privacy >Tracking.

If you have already toggled it to off, apps have already been sent the message not to collect the IDFA and this carries over to iOS 14.5. You can turn on Allow Apps to Request to Track, but if apps have already been given the instruction not to track, they won’t ask again. In other words, you may need to wait for new apps to ask.

However, according to 9to5Mac some users are complaining that the toggled switch is grayed out to stop apps from requesting to track. There could be a reason for this: For example, those under 18 will find they are unable to turn on tracking (which is a good thing). It is also grayed out if your Apple ID is managed by an educational institution or uses a configuration profile that limits tracking, or if your Apple ID was created in the last three days.

The other explanation is that the grayed out button is a bug in iOS 14.5 that needs fixing. 

Reason 2: The developer’s app isn’t ready for ATT yet

Despite Apple’s PR machine indicating ATT would emerge suddenly and dramatically upon updating to iOS 14.5, in reality, it will take time for app developers to adjust. Facebook said in a statement to CNET that ATT would be rolling out over the coming weeks.

So other apps may also be slow to get their ATT alerts out, but rest assured: Just because the ATT pop up isn’t appearing, it doesn’t mean apps can track you in iOS 14.5. Apple has indicated that app makers who don’t ask will not be given access to the IDFA. Instead of the unique IDFA code that identifies you, the app developer will receive a string of 000s. 

Developers need to use the AppTrackingTransparency framework to request permission to track the user. “If called properly, the framework displays a system prompt on behalf of the app,” says security researcher Tommy Mysk. “Without receiving permission from the user, the value of the advertising identifier, or IDFA,  will be all zeros.”

He says none of the apps he tested triggered the system prompt to be displayed: “Even though we could clearly see the IDFA value in their network traffic, it was all zeros. This is consistent with Apple’s documentation.”

As for the heavily customised prompts that are clearly not the uniform iOS permission (see picture below), these shouldn’t be used to allow tracking. They are allowed by Apple as a pop up before the native iOS prompt comes up—not instead of it. 

This is how it should work: When you say yes to tracking, the app will appear in your privacy settings, where you can turn it off. Watch the video demo included in this article to see how it works. 

But the real issue is that third party tracking goes beyond just the IDFA. Apple says it is “not considered tracking when the app developer combines information about you or your device for targeted advertising or advertising measurement purposes if the developer is doing so solely on your device and not sending information off your device in a way that identifies you.”

In addition, the app is allowed to share information with data brokers if this is used for fraud detection or prevention or security. 

However, iPhone developers are not allowed to use fingerprinting methods—another way of uniquely identifying you—to track people, according to Apple’s developer documentation.

Mysk explained in a tweet how he found the IDFA blocking process is working, and apps only gain access to the IDFA if they are using the iOS native prompt. However, it did not stop the app from collecting other data.

“There are many other ways apps can and do third-party tracking of users without the IDFA,” says Lin. “At a very basic level, apps always have access to the user’s IP address, so the IDFA is not really needed to uniquely identify someone—it’s more like a ‘nice to have’. Another example is that third-party trackers can just generate their own unique identifier for each user to track them.”

So why are these non-native prompts appearing? One possibility is that many apps are doing this as a pre-prompt or primer before they show the user the iOS native prompt, in order to increase initial opt-in rates, says Lin.

This is because once the user denies tracking, it’s hard to get them to go to the Settings app to change it back, Lin says. “This same UX pattern, while confusing, has been used for some time for other permission requests like push notifications—a game might have its own explainer prompt for why it wants to enable push notifications before presenting the native iOS prompt.”

Lin says however that the simplest explanation is that these are bugs in the apps, and developers are messing up because it’s their first time implementing ATT. Another possibility, he says, is that it’s an iOS bug (like the grayed out button).

“It’s also possible that some apps are trying to comply with ATT, but can’t figure out how their third-party tracker usage ‘fits in’ with Apple’s ATT rules—for example, if they don’t use IDFA at all, but they do other third-party tracking, so they create their own dialog in the hope of passing App Review’s scrutiny.”

Confusingly, Lin tells me ATT doesn’t work the same way as other permissions. “Other permissions are very cut-and-dry: if you disable Camera access, the app does not have access to your camera, period. However, if you disable access to “Allow Apps to Request To Track”, the app can definitely still track you with third-party trackers; it’s just that if the app wanted to be honest (by their own choice), they could show the Request to Track dialog and respect it. 

“IOS 14.5 supposedly does cut off IDFA for apps that don’t show the dialog, but that isn’t needed to do third-party tracking, and the setting isn’t ‘Allow Apps to Use IDFA’; the setting is ‘Allow Apps to Request To Track’.”

Reason 3: App developers are trying to get around the iOS 14.5 privacy changes

App developers are allowed to customize the text inside the iOS 14.5 pop up, but they need to use the native iOS prompt and can only change the central text. This text needs to offer the user the information they need to decide whether to allow tracking or not without for example, threatening to take away functionality or offering monetary incentives. 

No doubt at first, some developers will push this, but hopefully they will be weeded out during Apple’s review process. Apple has said it will police ATT in iOS 14.5, so let’s hope it keeps its word and the big privacy change will make the difference we were all expecting. 

However, Lin says his app Lockdown, which shows who is tracking you on your iPhone, has been monitoring to see the compliance rate of apps with ATT. “As far as I can tell, it’s very low. For example, he says, opening one food and drink app resulted in Lockdown Privacy blocking 49 third-party tracking attempts, including Facebook trackers. “Even with Allow Apps to Ask To Track enabled, there is no prompt to ask for tracking, and the app doesn’t even show up in the list.”

At the same time, says Lin, Apple isn’t retroactively removing apps that do third-party tracking. “So, even if an app, in the worst case, is being egregious about selling user data to third parties without any consent, as long as they don’t submit a new version, they can keep doing this as long as they want.”

Apple’s explanation

Apple has further explained ATT in a support document. The document explains how iOS app developers can customize part of the message to explain why the app is asking to track your activity. You can also visit the app’s product page in the App Store for more details about how the app developer uses your data.

But Apple states: “If you choose Ask App Not to Track, the app developer can’t access the system advertising identifier (IDFA), which is often used to track. The app is also not permitted to track your activity using other information that identifies you or your device, like your email address.”

I asked Apple for a comment on this story and will update it if the iPhone maker responds.