Apple's App Tracking Transparency' Is A 'Dud', Said Former Apple Engineer

Apple App Tracking Transparency

Among Apple's bold claims, include saying that "what happens on your iPhone, stays on your iPhone." A former employee said that it's not the case.

Apple is known to create expensive products, and developed cult fanatics. With over $2 trillion market capitalization, it has become one of the most profitable companies in the world, to even surpassed Saudi Arabia's oil company Aramco.

Among the things the company did to differentiate itself from the competition, most notably against tech giants like Google and Facebook, is saying that it does not rely on advertising for revenue.

What this means, Apple doesn't really need to track users, profile users based on their interest, in order to know about their habits or needs.

But according to Johnny Lin, a former Apple engineer and co-founder of the software company Lockdown Privacy, Apple's 'Ask App Not To Track' button is a "dud" that gives users "a false sense of privacy."

Read: Former Apple Engineers Developed 'Lockdown' To Block Trackers, Ads, Badware And More

Lin said that the button, when it's switched on, can still let some apps to snoop data.

In one case, say if an iPhone user opens the Subway Surfers game, which is at this time, listed as one of the App Store’s “must-play” games. When opening the game for the first time, it will ask if the user wants to allow the app to track. Saying no is supposed to stop apps, like this Subway Surfers app from ever learning about what users do with other apps and websites.

But no, it doesn't.

Switching the 'Ask App Not To Track' still allows apps to collect user data.

Lin said this based on a study by Lockdown Privacy, which tested how effective App Tracking Transparency works.

The company selected "ten top ranked apps, most of which were featured by Apple’s own App Store Editors under either the Apps or Games tabs."

Using Lockdown Privacy app, the team was able to detect and block a number of third-party trackers, even when the button is turned on.

In the research, the team enabled blocklists that include: Amazon Trackers, Data Trackers, Email Trackers, Facebook Trackers, Game Marketing, General Marketing, Google Shopping, Marketing Trackers, Marketing Trackers II, Reporting.

Then, using an iPhone XR running iOS 14.8, and later through a retest using iOS 15, the team tested each app twice.

First, by choosing 'Ask App Not To Track', and the second test by allow the tracking to track.

"In each test, we did a clean signup and basic usage of the app for no more than two minutes. After each test, we recorded what tracking activity was detected in Lockdown Privacy’s Block Log, and then reset everything to test the next case," the report said.

In the end, the team found no difference in total active trackers, whether the 'Ask App Not To Track' is turned on or off. And when it's turned on, the number of trackers attempting to track is lower, but only by ~13%.

"In our tests of ten top-ranked apps, we found no meaningful difference in third-party tracking activity when choosing App Tracking Transparency’s 'Ask App Not To Track'. The number of active third-party trackers was identical regardless of a user’s ATT choice, and the number tracking attempts was only slightly (~13%) lower when the user chose 'Ask App Not To Track'," the report concluded.

And considering what data is being sent, even when the 'Ask App Not To Track' is turned on, include first name and last name, screen resolution, time zone, iPhone model and iOS version, battery levels, storage, language, user agent, and more.

"Note that in all cases, the user’s IP address is exposed to the third party, because that is a basic requirement of making a connection to any site or server on the internet," the team said.

So why is this happening? Does Apple sells a false promise" How could Apple have failed so miserably in stopping third-party trackers with a feature named 'App Tracking Transparency'?"

To answer that, the team dug deeper, and found the main cause: Apple’s narrow definition of the term “tracking”.

Apple ATT, Lockdown research
Lockdown's research found that even when Apple's App Tracking Transparency's Do Not Track is turned on, it still allows third-party to get a lot of data. Sensitive ones are marked in red. (Credit: Lockdown Privacy)

In general, the definition of tracking is when an app unnecessarily sends its user data to third parties. Because of that, that third party know at a minimum, the user's IP address. With this data only, that third-party can be pretty approximated in finding out what's the ISP the user is using, the location of the user, and so forth.

But according to Apple, its understanding of the term "tracking" is something a lot more specific.

According to Apple, which describes the term in its full definition at its developer documentation, where no average iOS user will ever read, is that "tracking" happens if all of the following conditions are checked:

First, it must link user data from one app/website to another app/website. Second, it must do this specifically for targeted advertising or advertising measurement purposes. And third, Apple excludes a list of so-called acceptable tracking behaviors that are not considered "tracking."

This is definition is not the general meaning of tracking, and because of that, Apple’s definition of tracking to be misleading, counterintuitive, and confusing, because it's too narrow in scope, contains too many caveats, relies too heavily on trusting the very tracking companies that the policies are supposed to be protecting users against, and incentivizes less transparency, thus creating more dangers for privacy.

Apple's has the upmost control of its ecosystem, and with that in mind, it's only best for apps to obey Apple, if they want to be on its good side.

As a result, "not only do these trackers allow their clients to break Apple’s rules, but they specifically built features to help their clients easily circumvent Apple’s ATT privacy rules," Lockdown concluded.

Lockdown suggested that Apple needs to take a hard line against closed-source trackers, needs to come clean that App Tracking Transparency is a completely trust-based system, needs to be extremely clear that iOS currently does not and cannot stop third-party tracking, and should be more transparent and model transparency for developers by open sourcing not only their software, but also their processes.

As a company that has billions of users across all of its services and products, Apple needs to be more transparent, especially because it markets itself as a company that values privacy.

Further reading: Your Smartphone Is A Privacy Nightmare: How To Use Them Without Leaving A Trace