There are gaps in the iOS Ad Tracking Framework that Apple has yet to close, although App Tracking Transparency (ATT) is enabled with iOS 14.5. Such is the case for the fingerprintsa set of techniques that can identify a device by analyzing several of its characteristics: if ATT prohibits the use of these techniques, they are still used to track users.
According to Eric Seufert, analyst at Mobile Dev Memo, the manufacturer intends to do so crack in the third or fourth quarter, possibly with the launch of the final version of iOS 16. In what form remains to be seen. Because fingerprint monitoring is a complicated task.
Typically, ad networks and data collectors embed tracking mechanisms in SDKs that developers install in their apps. If Apple declined all apps containing these SDKs, the App Store catalog would be thin; moreover it would penalize developers who mostly think there is no harm in using these SDKs (they are used to get statistics about their users for example).
Apple can exert indirect pressure on malicious SDK publishers, as we saw just before the iOS 14.5 release: in April 2021, we learned that the manufacturer had rejected apps that integrate an Adjust development kit, a company specializing in mobile advertising. This SDK collected battery level, storage capacity, and other device information, a set of data that allowed cross-referencing to target users. Since the realization of this collection was a bit too visible, Apple had decided to take action.
Faced with monitoring tracking, advertisers are looking for workarounds
But requiring developers to use “ethical” SDKs is not a viable long-term strategy. All the more so as the fingerprinting techniques are very complex. A developer can legitimately collect data from their application on one server and then share it with an advertising server without Apple being able to control what happens on that second server.
How does Apple intend to settle its freezeprinting case? Eric Seufert puts forward two hypotheses that are not mutually exclusive. The manufacturer could evaluate the SDKs via a review process separate from the application. This would not penalize the developer, only the SDK.
The Apple could also use the same technology that underlies iCloud+’s Private Relay feature, in other words the data emitted by the SDKs would pass through the mill introduced by Apple with iOS 15 that allows the IP address to camouflage users. A way to pull fingerprints off the ground from under your feet.
This fight against fingerprints would not be enough to defeat the other covert techniques of tracking for advertising purposes, as we have seen again today with a new study. It would still allow Apple to strengthen ATT and its firm position against tracking.
The ad tracking framework on iOS works but poses other issues