Apple curbing tracking via fingerprinting with « required reason APIs »

Apple’s escalated anti-tracking measures as developers must clarify the use of any APIs labeled as “required reason API” that could be used for device fingerprinting.

A still from an Apple event video featuring Tim Cook opening

This includes some commonly used APIs, such as the UserDefaults API which is designed to store user preferences but can also be leveraged for fingerprinting.

Device fingerprinting is a technique that some apps have used to continue tracking users after they explicitly asked not to be tracked via the privacy prompt.

Apple wants to curb device fingerprinting in a privacy boost

APIs, or application programming interfaces, let developers communicate with the operating system and use various system services in their apps without knowing how they’re implemented. Apple prohibits any APIs from being used for fingerprinting.

“Regardless of whether a user gives your app permission to track, fingerprinting is not allowed,” reads developer documentation on the Apple website.

Some developers have resorted to fingerprinting to bypass Apple’s security measures and continue tracking people across apps and websites. The technique collects data about the user’s configuration, like device model, screen resolution, operating system version and so forth, to create a unique identifier.

Introducing Required Reason API

To prevent that from happening, Apple now lists certain APIs on iOS, iPadOS, tvOS, visionOS and watchOS as “required reason APIs”. Furthermore, developers are responsible for checking that their app only uses the APIs for the expected reasons.

Your app or third-party SDK must declare one or more approved reasons that accurately reflect your use of each of these APIs and the data derived from their use. You may use these APIs and the data derived from their use for the declared reasons only. These declared reasons must be consistent with your app’s functionality as presented to users, and you may not use the APIs or derived data for tracking.

When iOS 17, iPadOS 17, tvOS 17, macOS Sonoma and watchOS 10 launch this fall, developers will receive an email notice from Apple if they submit apps using a required reason API without specifying its usage. The Cupertino tech giant will stop accepting submissions that don’t adhere to this requirement from Spring 2024.

Soyez le premier à commenter

Poster un Commentaire

Votre adresse de messagerie ne sera pas publiée.