Apple Increases App Security by Implementing API Controls -

Post Views: 398

The business is still fighting against device fingerprinting.

Apple is in the combatting mood with device fingerprinting, which involves using bits of distinctive, device-specific data to follow people online. It will implement yet another significant restriction this fall to stop illicit usage of this sort of technology.

Apple unveiled a new project at WWDC 2023 that will increase the visibility of apps that keep track of users while also increasing user transparency. It has now provided developers with a bit more information about how this will actually function.

The latest salvo in a long campaign

Astute observers will recognize that this is another phase of Apple’s battle against tracking, which it first waged in 2018 when it restricted websites’ access to Safari browser data, then again in 2021 with the release of iOS 14.5 and the requirement that apps obtain users’ express consent before tracking them. This strategy has been effective, and currently, only 4% of iPhone users in the US allow apps to monitor them in this manner.

That fact alone should persuade any naysayers that Apple’s users genuinely desire this kind of safety.

Taking on the fingerprinters

The latest action targets another set of user-tracking technologies, referred to as fingerprinting. In a nutshell, each gadget has a set of distinctive characteristics that can be utilized for recognizing it. Screen resolution, model, and even the amount of installed apps are examples of this type of information. A device’s identity and the path it takes between apps and websites can both be determined using that data. Apple categorically opposes using this data to monitor users because gadgets don’t move in a vacuum, and users can be tracked using the same data.

Some APIs (Application Programming Interfaces) that Apple and other companies offer to developers to enable specific functionality in their apps also give developers access to data that could be misused for device fingerprinting.

As a response, it informed developers at WWDC that going forward, usage of such APIs would be subject to evaluation and would also need to be disclosed to users in the privacy declaration for such apps on the App Store. The idea behind this is that clients receive data that will assist them in discovering any apps that are capable of surveillance on them, while developers must demonstrate an actual requirement to utilize those APIs.

Apple acknowledges that there are acceptable uses.

It is important to note that some of these regulated APIs could seem insignificant. For instance, user choices for app colors or settings are applied and stored using user defaults. However, since that particular type of distinguishing information is used to monitor devices, there seems to be little damage in requiring that developers explicitly state their usage and the destination of such data. Transferring settings across a developer’s own apps is another use for such data; nevertheless, Apple has definitely observed situations where certain such usage has been troublesome.

Although there has been a lot of blather in response to Apple’s most recent announcement, most developers agree that the changes are very minimal. As of fall 2023, developers who utilize these APIs to create apps for Apple’s platforms must disclose their usage when updating or submitting their apps. For trustworthy developers, especially those who already care about user privacy, the requirements for the reasons supplied must be accepted, and the information provided must be true.

The ultimate goal of this is to provide customers assurance that the source code is utilized only for legal purposes, enabling them to choose which apps to install with greater knowledge. The firm website contains a comprehensive list of these regulated APIs.

Disclosure is coming

The rules will become stricter starting in the spring of 2024, at which point the privacy manifest will also need to provide the justification for accessing one of these APIs.

Not all apps utilizing one of these things are terrible apps, though. Apple acknowledges this when it states that it will allow software that makes use of these codes for a legitimate purpose. Furthermore, it is unclear how strictly these revelations will be monitored. Will Apple’s app review staff thoroughly examine any such applications before approving them? If they do, may this prevent the release of otherwise good apps?

That is conceivable, but it also means that Apple is making it harder for app developers to hide privacy-degrading methods in their products without eventually being compelled to renege on some of their privacy guarantees. At the very least, this will make it much simpler for Apple to remove applications that do not honestly disclose their privacy practices.

Think differently

It’s crucial to avoid diverting discussions about these issues to the demands of marketers and other parties who might believe they are lawfully using monitoring and fingerprinting technologies. Personal data privacy is essential to safeguarding business and infrastructure due to the difficulties of online security and the complexity of phishing attempts against high-value targets. Safety across all of its platforms is now one of Apple’s main priorities. Tools designed to track individuals online or in apps can be misused to construct convincing attacks.

With this in consideration, more confidential measurements of intent must eventually substitute tracking technology.

About The Author:

YogeshNaager is a content marketer that specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.