Goodbye Tracking? Impact of iOS App Tracking Transparency ...

Goodbye Tracking Impact of iOS App Tracking Transparencyand Privacy Labels

Konrad Kollnigkonradkollnigcsoxacuk

Department of Computer ScienceUniversity of Oxford

Oxford United Kingdom

Anastasia Shubaashuba22gmailcomIndependent Researcher

Max Van Kleekmaxvankleekcsoxacuk

Reuben Binnsreubenbinnscsoxacuk

Nigel Shadboltnigelshadboltcsoxacuk

ABSTRACTTracking is a highly privacy-invasive data collection practice thathas been ubiquitous in mobile apps for many years due to its rolein supporting advertising-based revenue models In response Ap-ple introduced two significant changes with iOS 14 App TrackingTransparency (ATT) a mandatory opt-in system for enabling track-ing on iOS and Privacy Nutrition Labels which disclose what kindsof data each app processes So far the impact of these changes onindividual privacy and control has not been well understood Thispaper addresses this gap by analysing two versions of 1759 iOSapps from the UK App Store one version from before iOS 14 andone that has been updated to comply with the new rules

We find that Applersquos new policies as promised prevent the col-lection of the Identifier for Advertisers (IDFA) an identifier forcross-app tracking Smaller data brokers that engage in invasivedata practices will now face higher challenges in tracking users ndash apositive development for privacy However the number of trackinglibraries has ndash on average ndash roughly stayed the same in the studiedapps Many apps still collect device information that can be used totrack users at a group level (cohort tracking) or identify individualsprobabilistically (fingerprinting) We find real-world evidence ofapps computing and agreeing on a fingerprinting-derived identifierthrough the use of server-side code thereby violating Applersquos poli-cies We find that Apple itself engages in some forms of trackingand exempts invasive data practices like first-party tracking andcredit scoring from its new tracking rules We also find that the newPrivacy Nutrition Labels are sometimes inaccurate and misleadingespecially in less popular apps

Overall our observations suggest that while Applersquos changesmake tracking individual users more difficult they motivate a coun-termovement and reinforce existing market power of gatekeeper

Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full citationon the first page Copyrights for components of this work owned by others than ACMmust be honored Abstracting with credit is permitted To copy otherwise or republishto post on servers or to redistribute to lists requires prior specific permission andor afee Request permissions from permissionsacmorgFAccT rsquo22 June 21ndash24 2022 Seoul Republic of Koreacopy 2022 Association for Computing MachineryACM ISBN 978-1-4503-9352-22206 $1500httpsdoiorg10114535311463533116

companies with access to large troves of first-party data Makingthe privacy properties of apps transparent through large-scale anal-ysis remains a difficult target for independent researchers anda key obstacle to meaningful accountable and verifiable privacyprotections

CCS CONCEPTSbull Security and privacy rarr Privacy protections Economics ofsecurity and privacy bull NetworksrarrMobile and wireless security

KEYWORDSmobile apps Apple iOS data protection privacy platform policiesgatekeeper power App Tracking Transparency Privacy NutritionLabels

ACM Reference FormatKonrad Kollnig Anastasia Shuba Max Van Kleek Reuben Binns and NigelShadbolt 2022 Goodbye Tracking Impact of iOS App Tracking Trans-parency and Privacy Labels In 2022 ACMConference on Fairness Accountabil-ity and Transparency (FAccT rsquo22) June 21ndash24 2022 Seoul Republic of KoreaACMNewYork NY USA 13 pages httpsdoiorg10114535311463533116

1 INTRODUCTIONTracking the large-scale collection of data about user behaviour iscommonplace across both mobile app ecosystems Android and iOSWhile some see tracking as a lsquonecessary evilrsquo to making apps avail-able at lower prices by showing users personalised advertising andselling their data to third parties [13 39] tracking can have highlydisproportionate effects on the lives of individuals and society as awhole [49 56] As a countermeasure Apple introduced the AppleTracking Transparency (ATT) framework ndash alongside mandatoryPrivacy Nutrition Labels [29 30] ndash with iOS 14 see Figure 1

The emergence of more robust privacy measures in everydaytechnology is partly motivated by new data protection and privacylaws around the globe particularly the General Data ProtectionRegulation (GDPR) in the EU and UK since May 2018 [34] Amongother aspects the GDPR protects any data that can be related toindividuals (lsquopersonal datarsquo) and requires a legal basis for any pro-cessing of such personal data This requirement has the effect thatapp tracking which usually classifies as lsquohigh-riskrsquo data processing

FAccT rsquo22 June 21ndash24 2022 Seoul Republic of Korea Kollnig et al

(a) Apple Tracking Transparency (ATT) (b) Privacy Nutrition Label

Figure 1 Overview of Applersquos new privacy measures introduced with iOS 14 [3]

needs prior user consent [33 43] Additionally the 2009 ePrivacyDirective which regulates data processing in electronic systems inthe EU and UK also requires consent to tracking [11 33] Despitethese legal requirements a large proportion of apps engaging intracking have in the past been observed not to seek the requiredprior user consent [33 43 48]

Starting with iOS 145 in April 2021 iOS apps must now askusers for explicit permission before tracking them see Figure 1aIf an iOS user asks an app not to track this has the direct effectthat this app cannot access the Identifier for Advertisers (IDFA)anymore The IDFA is a random unique identifier provided by theoperating system to apps for tracking users across multiple sessionsof a single app and across apps Additionally apps are obliged tostop certain tracking practices under the Applersquos App Store policies(more in Section 5) Preliminary data suggests that the vast majorityof users (between 60 and 95) choose to refuse tracking whenasked for it under the new system [4 21 27]

While potentially good for user privacy the ATT has been re-ported to have vastly increased Applersquos share of advertising oniOS ndash as part of its Apple Search Ads on the App Store ndash andto have decreased the efficacy of ads from competing companiesAn important reason for this as argued by Eric Seufert and oth-ers is that Applersquos own tracking technologies may not fall underApplersquos definition of tracking [40] It has also been reported thatmany marketing companies have shifted advertising budgets fromiOS to Android [18] The Financial Times estimated that the lossfor leading tech companies from the new policy would be around$10bn [20] but also reported that companies deemed the lsquoeffect ofApplersquos privacy changes was less than fearedrsquo [16] Applersquos privacychanges may prompt a rise in paid apps and in-app purchases [31]and thereby particularly affect those individuals who are alreadyworse off financially

In addition to the changes relating to the ATT app developersmust now self-declare what types of data they collect from usersand for what purposes ndash called Privacy Nutrition Labels [29 30] seeFigure 1 As such these labels aim to make it easier for end-usersto understand the data practices of apps instead of having to studylengthy privacy policies which few users do [38] There is howevera risk that many users may just ignore the new (and potentially

oversimplified) privacy labels (as they commonly do with privacypolicies [38]) gain a false sense of security or not understand theconsequences for their privacy (which tends to be highly individ-ual [44]) and that developers may not honestly self-declare theiractual data practices [60] Despite these concerns the labels havethe potential to shift developersrsquo existing data practices towardsbeing more privacy-preserving through increased transparencyand end-user awareness

Based on the above observations this paper analyses the follow-ing research questions

(1) What impact have the ATT and Privacy Nutrition Labelshad ndash thus far ndash on tracking particularly on the extent andquality of tracking

(2) To what extent do apps disclose their tracking practices intheir Privacy Nutrition Labels

(3) What implications do the ATT and Privacy Nutrition Labelshave for the power relations between the actors in the digitaladvertising system including mobile OS providers digitaladvertisers app developers and marketers

To analyse these questions this paper analyses privacy in 1759iOS apps for each of which we downloaded two versions one frombefore Applersquos new rules and one that has been updated since Weuse a combination of app code and network analysis to gain richinsights into the data practices of the studied apps

The remainder of this paper is structured as follows We firstreview related work in Section 2 Next we introduce our app down-load and analysis methodology in Section 3 We turn to the resultsfrom our app code and network analysis in Section 4We discuss ourfindings in Section 5 and the limitations of our study in Section 51We conclude the paper and outline direction for future work inSection 6 Code and data to replicate our results are available athttpswwwplatformcontrolorg

2 BACKGROUND21 Related workPrevious research extensively studied privacy in mobile apps Twomain methods have emerged in the academic literature dynamicand static analysis

Goodbye Tracking Impact of iOS App Tracking Transparency and Privacy Labels FAccT rsquo22 June 21ndash24 2022 Seoul Republic of Korea

Dynamic analysis observes the run-time behaviour of an app togather evidence of sensitive data leaving the device Early researchfocused on OS instrumentation ie modifying Android [14] oriOS [1] With growing complexity of mobile operating systemsrecent work has shifted to analysing network traffic [24 46 48 5051 51 52 56] This comes with certain limitations One problem islimited scalability since every app is executed individually Anotherissue is that not all privacy-relevant parts of apps may be invokedduring analysis potentially leading to incomplete results

Static analysis dissects apps without execution Usually apps aredecompiled and the obtained program code is analysed [12 26]The key benefit of static analysis is that it can analyse apps quicklyallowing it to scale to millions of apps [6 9 34 57 59] Howeverstatic analysis can involve substantial computational effort and ndashunlike dynamic analysis ndash does not allow the observation of realdata flows because apps are never actually run Programming tech-niques such as the use of code obfuscation and native code canpose further obstacles This is especially true for iOS apps whichare often harder to analyse and decompile ndash compared to Android ndashand are encrypted by default [6 35 62] While this iOS encryptionmight legitimately protect paid apps against piracy Apple also en-crypts all free apps downloaded from the App Store By contrastGoogle only encrypts paid apps (not free ones) when downloadedfrom its Play Store The encryption of iOS apps by Apple ndash even offree ones ndash is problematic for research efforts because it drives re-searchers into legal grey areas of copyright law [35] Partly becauseof these difficulties our recent work [35] was the first large-scaleapp privacy analysis study on iOS apps since 2013 [1] We avoidedlegal problems relating to copyright law by conducting part of theanalysis on-device through using the popular app instrumentationtool Frida [22]

In this paper we follow the methodology of our previous paperwhich used a combination of both dynamic and static analysis soas to compare the privacy practices of the studied apps before andafter the introduction of Applersquos new privacy rules We discuss ourmethodology for this paper in more detail in Section 3

22 Regulation of App PlatformsThe centrality of app platforms ndash ie Applersquos iOS and GooglersquosAndroid ecosystem ndash makes them a target for effective privacy reg-ulation however such regulation is limited [54 63] The US FederalTrade Commission (FTC) established some baseline rules for appstores in 2013 They strongly recommended to app platforms torequire just-in-time consent for sensitive data access to seek pri-vacy policies from app developers and to implement system-wideopt-out mechanism from data collection [15] Despite not beinglaw Google and Apple followed many of the recommendationsand have not seen further public recommendations from the FTCsince

In the EU and UK there exists no targeted regulation of appstores The Regulation on platform-to-business relations (P2BR)contains general provisions for online intermediaries includingapp stores but does little to enact better privacy protections [63]Data protection laws such as the GDPR and the ePrivacy Directivearguably place the primary responsibility for data protection with

the app developers not usually with app platform providers ndash al-though this is subject to ongoing debate this lack of data protectionobligations within the entire software development process ndash notjust deployment ndash has been widely criticised [8 28]

While no targeted regulation exists app platforms face increas-ing scrutiny by courts and regulators In the case Epic Games v Applerunning since 2020 a US District Court judge largely found no mo-nopolistic behaviour of Apple but did identify some anticompetitiveconduct in Applersquos business practices The judge ordered Apple toallow app developers to inform app users of alternative paymentmethods Both Apple and Epic Games have appealed the ruling Inthe EU following a complaint of Spotify against Apple from 2019the European Commission identified multiple anticompetitive as-pects about Applersquos ecosystem in a preliminary ruling ndash the caseis however still ongoing In January 2022 the Dutch competitionauthority demanded changes from Apple to its App Store policiesApple has to date not fulfilled the demands of the regulators intheir entirety and has instead chosen to pay a weekly penalty ofeuro5 million up to a maximum of euro50 million [5]

The challenges in keeping up with regulation of platforms havespurred a recent countermovement by lawmakers In South Koreaparliament amended the Telecommunication Business Act to forceapp stores to allow alternative payment methods and reduce com-missions [47] In response Apple lowered the share it takes fromApp Store revenues of small developers (making less than $1 millionper year) from 30 to 15 In the US Congress is debating a newOpen App Markets Act that aims to address common competitionconcerns around app stores and passed the Senate Judiciary Com-mittee with a strong a 20mdash2 bipartisan vote in February 2022 In theEU lawmakers are seeking to enact two new pieces of legislationthat aim to improve the regulation of digital markets the DigitalMarkets Act and the Digital Services Act Any new legal require-ment for app platforms will likely have implications worldwidedue to the nature of digital ecosystems

In sum there currently exist few specific legal obligations forapp platforms Instead they are encouraged to self-regulate theirconduct The following analysis shall shine a light on how therecent policy changes by Apple a highly prominent example of thisself-regulation have affected the actual privacy practices of mobileapps

3 METHODOLOGYIn this section we describe our analysis methodology (depictedin Figure 2) which follows the one that we previously used fora comparative analysis of iOS and Android appsrsquo privacy prac-tices [35] Code and data to replicate our results are available athttpswwwplatformcontrolorg We therefore keep our descrip-tion of the methodology short and refer the reader to the originalpaper for details

31 App Selection and DownloadThis section details our process for selecting and downloading appsfrom the Apple App Store (step 1 in Figure 2) For the selectionof apps we revisited the same 12000 iOS apps as in our previousstudy [35] These apps were selected by first generating a largelist of apps available on the Apple App Store between December

Code Analysis

Class Dump

FridaTracking Libraries

Permissions

Tracker Library Settings

App Manifest Analysis

Permissions

Tracking Library Configuration

Network Traffic Analysis

Traffic Collection

mitmproxySSL Kill Switch

Data Flows

App Privacy Footprints

Tracking Libraries

Presence

Configuration

Data Access

Permissions

Data Sharing

Before Consent

Disclosure of Tracking

Nutrition Labels

App Dataset

1759 apps

Privacy Nutrition Labels

Figure 2 Overview of our analysis methodology (Section3) First (1) we select and download 1759 apps from be-fore the introduction of the ATT and 1759 from after Wealso collect appsrsquo PrivacyNutrition Labels Next we perform(2) Code Analysis to examine permissions and tracking li-braries usage and (3) Network Traffic Analysis to analysetracking domains contacted at the first app start and thesharing of personal data The results of this analysis (Section4) are detailed App Privacy Footprints (4) of the downloadedapps

2019 and February 2020 We then downloaded a random subset(119899 = 12 000) of those apps that were last updated since 2018 so asto focus on apps currently in use For this work we re-downloadedthose apps that were updated to comply with Applersquos ATT andprivacy label rules in October 2021 This resulted in a dataset of1759 pairs of apps one from before iOS 14 and one from after Thisnumber of apps is comparatively small because many apps had notyet been updated since the new rules while some other apps hadbeen removed from the store (2713 out of 12000 apps were notavailable on the App Store anymore) We additionally scraped thePrivacy Nutrition Labels for the newly downloaded apps

32 Code AnalysisTo identify the presence of tracking libraries (step 2 in Figure 2) weextracted the names of all classes loaded by each app using the toolFrida [22] and checked them against a list of known tracker classnames from our previous paper [35] We also examined the appmanifest (every iOS app must provide such a file) to determine howcertain tracking libraries are configured ndash many tracking librariesallow developers to restrict data collection using settings in themanifest file eg to disable the collection of unique identifiers orthe automatic SDK initialisation at the first app start This can helpset up tracking libraries in a legally compliant manner For examplelsquoData minimisationrsquo is one of the key principles of GDPR (Article51 (c)) and user opt-in is required prior to app tracking in the EUand UK [33] We analysed the privacy settings provided by some ofthe most prominent tracking libraries Google AdMob Facebookand Google Firebase

Beyond analysing tracking in apps we also obtained a list ofpermissions that apps can request Permissions form an importantpart of the security model of iOS as they protect sensitive informa-tion on the device such as appsrsquo access to the camera or address

book As such permissions are different to the new privacy labelswhich do not affect the runtime behaviour of apps We extractedappsrsquo permissions by automatically inspecting the manifest file

33 Network AnalysisTo analyse appsrsquos network traffic (step 3 in Figure 2) we executedevery app on a real device ndash one iPhone SE 1st Gen with iOS 142and one with iOS 148 ndash for 30 seconds without user interactionWe captured network traffic using the tool mitmdump We disabledcertificate validation using SSL Kill Switch 2 after gainingsystem-level access on both iPhones (known as lsquojailbreakrsquo) On theiPhone with iOS 142 we did not opt-out from ad personalisationfrom the system settings thereby assuming user opt-in to use theIDFA (reflecting the assumption that many users who would rejecttracking do not do so because the option is in the less prominentsettings on the OS [35]) On the iPhone with iOS 148 we askedall apps not to track from the system settings Although in An-droid privacy research real user behaviour is simulated via variousautomation tools [7 25 45 46 48 50 55] Applersquos restrictions ondebugging and instrumentation have hindered the development ofsuch tools for iOS Tracking libraries are usually initialised at thefirst app start and without user consent [33 35 42 48] and theycan thus be detected without user interaction in the network trafficas done in our analysis

4 RESULTSIn this section we present our findings from analysing two ver-sions ndash one from before and one from after the release of iOS 14and the ATT ndash of 1759 iOS apps (step 4 in Figure 2) We analysed1996 GB of downloaded apps extracted 32 GB in information aboutclasses in appsrsquo code and collected 39 GB of data in appsrsquo networktraffic Installing and instrumentation failed for 74 iOS apps wehave excluded these apps from our subsequent analysis and focuson the remaining 1685 apps

First we focus on the tracking libraries found in the code analysis(Section 41) and whether or not they were configured for dataminimisation (Section 411) Next in Section 42 we analyse appsrsquoaccess to the IDFA (which is now protected by the ATT) and alsotheir permissions Following up in Section 43 we report on thedata sharing of apps before consent is provided with a particularfocus on whether apps that are instructed not to track actuallydo so in practice Lastly in Section 44 we check whether and towhat extent apps disclose their tracking practices in their PrivacyNutrition Labels

41 Tracking LibrariesApps from both before the ATT and after widely used trackinglibraries (see Figure 3a) The median number of tracking librariesincluded in an app was 3 in both datasets The mean before was 37the mean after was 36 475 of apps from before ATT containedmore than 10 tracking libraries compared to 475 after 8639contained at least one before ATT and 8752 after

The most prominent libraries have not changed since the in-troduction of ATT The top one was the SKAdNetwork library(in 784 of apps before and 818 after) While part of Applersquos

After Before

0 20 40 60 80 0 20 40 60 80

Moat (Oracle)

Flurry (Verizon Communications)

AdColony (AdColony)

ironSource (ironSource)

Supersonic Ads (ironSource)

Vungle (Blackstone)

AppLovin (MAX and SparkLabs) (AppLovin)

Twitter MoPub (Twitter)

Google Tag Manager (Alphabet)

Umeng+ (Alibaba)

Unity3d Ads (Unity Technologies)

AppsFlyer (AppsFlyer)

Google Analytics (Alphabet)

Google AdMob (Alphabet)

Facebook (Facebook)

Google CrashLytics (Alphabet)

Google Firebase Analytics (Alphabet)

SKAdNetwork (Apple)

apps present

Median Mean Q1 Q3 Count gt 10 None

Before 3 37 2 5 475 1361After 3 36 2 4 475 1248

(a) Top tracking libraries in app code

After Before

0 10 20 30 40 0 10 20 30 40

inappcenterms (Microsoft)

clients3googlecom (Alphabet)

sslgoogleminusanalyticscom (Alphabet)

firebasedynamiclinksgoogleapiscom (Alphabet)

gspminusssllsapplecom (Apple)

iidgoogleapiscom (Alphabet)

caiadsdkapplecom (Apple)

wwwgoogletagservicescom (Alphabet)

tpcgooglesyndicationcom (Alphabet)

scontentminusfrx5minus1xxfbcdnnet (Facebook)

firebaseremoteconfiggoogleapiscom (Alphabet)

googleadsgdoubleclicknet (Alphabet)

playgoogleapiscom (Alphabet)

itunesapplecom (Apple)

graphfacebookcom (Facebook)

firebaseinstallationsgoogleapiscom (Alphabet)

deviceminusprovisioninggoogleapiscom (Alphabet)

firebaseminussettingscrashlyticscom (Alphabet)

settingscrashlyticscom (Alphabet)

appminusmeasurementcom (Alphabet)

apps present

Before 3 40 1 6 475 1343After 4 47 2 7 719 1070

(b) Top tracking hosts contacted at the first app start

Figure 3 Third-party libraries (integrated in apps but not necessarily activated) and contacted tracking domains of apps aswell as the companies owning them (in brackets) Shown are the top 15 tracking libraries and domains for before and afterthe new privacy changes under iOS 14

privacy-preserving advertising attribution system this library dis-closes information about what ads a user clicked on to Apple fromwhich Apple could (theoretically) build user profiles for its ownadvertising system Following up with Apple about this potentialissue (by one of the authors exercising the GDPRrsquos right to be in-formed under Article 13) they did not deny the fact that this datamight be used for advertising but assured us that any targeted adswould only be served to segments of users (of at least 5000 indi-viduals with similar interests) Google Firebase Analytics rankedsecond (643 of apps from before ATT and 670 after) and GoogleCrashlytics third (436 before 444 after)

Overall Applersquos privacy measures seem not to have affected theintegration of tracker libraries into existing apps

411 Configuration for Data Minimisation Among the apps thatused Google AdMob 29 of apps from before and 45 from afterchose to delay data collection Choosing to delay data collectioncan be helpful for app developers to seek consent before enablingtracking and to fulfil legal obligations Among the apps using theFacebook SDK there was an increase in those which delayed thesending of app events (67 before and 125 after) an increase inthose which delayed the SDK initialisation (10 before ATT 22after) and an increase in those which disabled the collection of theIDFA (50 before 86 after) Among apps using Google Firebase06 permanently deactivated analytics before ATT and 08 after

00 disabled the collection of the IDFA before and 06 after and06 delayed the Firebase data collection before ATT and 10 after

Overall we found that only a small fraction of apps made use ofdata-minimising SDK settings in their manifest files One reasonfor this observation might be that some developers are not aware ofthese settings because tracking companies tend to have an interestin less privacy-preserving defaults regarding data collection [33 39]This fraction has subtly increased since the introduction of the ATT

42 Data Access and PermissionsMost prevalent permissions Figure 4 shows the most prevalentpermissions before and after the introduction of the ATT On aver-age there was an increase in permission use (43 permissions before47 after ndash excluding the new Tracking permission) CameraUsage(for camera access) was the most common permission (626 beforeATT 669 after) closely followed by PhotoLibraryUsage (658before ATT 669 after) and LocationWhenInUseUsage (538 be-fore ATT 580 after)

Tracking permission and access to IDFA As part of ATTapps that want to access the IDFA or conduct tracking must declarethe TrackingUsage permission in their manifest 247 of appsfrom our dataset chose to declare this permission and might askusers for tracking At the same time the share of apps that containthe AdSupport library necessary to access the IDFA in the appcode stayed unchanged at 508 of apps This means that 508 of

0 20 40 60Apps ()

BluetoothPeripheralUsage

LocationAlwaysAndWhenInUseUsage

CalendarsUsage

TrackingUsage

LocationAlwaysUsage

PhotoLibraryAddUsage

MicrophoneUsage

LocationWhenInUseUsage

PhotoLibraryUsage

CameraUsage

BeforeAfter

Figure 4 Top 10 permissions that apps can request

apps from after the ATT could access the IDFA on earlier versionsof iOS than 145 but only 247 can on iOS 145 or higher

Tracking permission and integration of tracking SDKsTheshare of apps that both contained a tracking library and could re-quest tracking varied somewhat between the used tracking library693 of the 350 apps that integrated Google AdMob declared theTrackingUsage permission 787 of the 110 apps that integratedUnity3d Ads 500 of the 116 apps that integrated Moat and 773of the 54 apps that integrated Inmobi Whether the app is frombefore or after the ATT the vast majority of apps (between 97and 100) that integrated any of these tracking libraries also inte-grated the AdSupport library and could therefore access the IDFAif running on iOS versions before 145

43 Data Sharing431 Before Consent This section analyses how many trackingdomains apps contacted before any user interaction has taken placethe next Section 432 then analyses what data was shared withtrackers Since tracking libraries usually start sending data right atthe first app start [33 35 42 48] this approach provides additionalevidence as to the nature of tracking in apps ndash and without consentOur results are shown in Figure 3b

The average number of tracking domains contacted was some-what higher for apps from after the introduction of the ATT (40 be-fore 47 after) The most popular domains were related to Googlersquosanalytics services firebaseinstallationsgoogleapiscom (41of apps before the ATT 474 after) and app-measurementcom(452 before 472 after) Since both endpoints are related toGoogle Firebase the large increase in firebaseinstallationsgoogleapiscom prevalence likely reflects internal restructuringof Firebase following Googlersquos acquisitions of other advertisingand analytics companies For example Google acquired the crashreporting software Crashlytics from Twitter in January 2017 whichis clearly reflected in our data Google deprecated the old API end-point (settingscrashlyticscom and changed it to firebase-

Information Example Before After

iPhone Name MyPhone 25 42iPhone Model iPhone84 |iPhone SE 602 745Carrier Three 202 202Locale en_GB |en-gb 857 901CPU Architecture ARM64 |16777228 137 161Board Config N69uAP 31 45OS Version 148 |18H17 799 869Timezone EuropeLondon 39 34

Figure 5 Proportion of all apps that shared device informa-tion This information can potentially be used for finger-printing or cohort tracking

settingscrashlyticscom) from November 2020 This had thedirect effect that all Crashlytics users must now also use GoogleFirebase The domain settingscrashlyticscom was contactedby 364 for apps from before the ATT and firebase-settingscrashlyticscom by 323 after the ATT While this might pointto a small difference in the adoption of Google Crashlytics theexact same number of apps (734 436) integrated the Crashlyt-ics library into their code before and after the ATT Similarlythe exact same number of apps integrate the Facebook SDK (523311) the share of apps that contacted the associated API endpointgraphfacebookcom at the first start fell from 277 to 231 TheGoogle Admob SDK too was integrated in the same number ofapps (350 208) and did not see a decline in apps that contact theassociated API endpoint googleadsgdoubleclicknet (121before 129 after)

Overall data sharing with tracker companies before any userinteraction remains common even after the introduction of the ATTThis is in potential violation with applicable data protection andprivacy laws in the EU and UK which require prior consent [33]

432 Exposure of Personal Data We found that 260 of apps frombefore the ATT shared the IDFA over the Internet but none fromafter the ATT In this sense the ATT effectively prevents apps fromaccessing the IDFA Despite Applersquos promises closer inspection ofthe network traffic showed that both Apple and other third partiesare still able to engage in user tracking

We found that iPhones continued to share a range of informationwith third-parties that can potentially be used for device finger-printing or cohort tracking see Table 5 Only timezone saw a subtledecrease in the number of apps that shared this information It isnot clear why apps need to access or share some of this informationeg the carrier name (shared by 202 of apps) or the iPhone name(shared by 3ndash4 of apps) Meanwhile some types of informationparticularly the iPhone name might allow the identification ofindividuals especially when combined with other information

In our analysis we found 9 apps that were able to generatea mutual user identifier that can be used for cross-app trackingthrough the use of server-side code These 9 apps used an lsquoAAIDrsquo(potentially leaning on the term Android Advertising Identifier)implemented and generated by Umeng a subsidiary of the Chinesetech company Alibaba The flow to obtain an AAID is visualisedin Figures 8a and 8b in the Appendix As expected the IDFA is

Domain Company Apps User ID Locale Model OS Version

firebaseinstallationsgoogleapiscom Google 474 app-measurementcom Google 472 firebase-settingscrashlyticscom Google 323 device-provisioninggoogleapiscom Google 258 graphfacebookcom Facebook 231 itunesapplecom Apple 183 fbcdnnet Facebook 130 googleadsgdoubleclicknet Google 129 firebaseremoteconfiggoogleapiscom Google 118 gsp-ssllsapplecom Apple 99 tpcgooglesyndicationcom Google 83 wwwgoogletagservicescom Google 81 clients3googlecom Google 53 firebasedynamiclinksgoogleapiscom Google 52 inappcenterms Microsoft 43 playgoogleapiscom Google 42 skadsdkappsflyercom AppsFlyer 40 gsp64-ssllsapplecom Apple 39 apionesignalcom OneSignal 37 caiadsdkapplecom Apple 37

Table 1 20 most common tracking domains after ATT sharing of user identifiers with third-parties alongside device infor-mation Empty cells mean that we did not observe the sharing of a certain type of information although this might still takeplace

only zeros because we used the opt-out provided by iOS 148 weobserved however that the IDFV (ID for Vendors) a non-resettableapp-specific identifier was shared over the Internet see Figure 8aThe sharing of device information for purposes of fingerprintingwould be in violation of the Applersquos policies which do not allowdevelopers to lsquoderive data from a device for the purpose of uniquelyidentifying itrsquo [3] Other experts and researchers have also voicedconcerns that tracking might continue [19 37 41 61]

We reported our observations to Apple on 17 November 2021who promised to investigate the problem We conducted a follow-up investigation on 1 February 2022 and re-downloaded and anal-ysed a range of iOS apps Some of the apps still continued to re-trieve a unique identifier from the URL httpsaaidumengcomapipostZdata Other apps now contacted the URL httpsutokenumengcomapipostZdatav2 and applied additional encryption(rather than just HTTPS) to the requests and responses This en-crypted data had roughly the same size as before (~750 bytes forthe request ~350 bytes for the response) and the same mimetype(applicationjson for the request applicationjsoncharset=UTF-8 for the response) The issue seems thus to be present stillbut has now been hidden away from the public through the useof encryption We have tried to reproduce these experiments fora few apps on iOS 15 and higher but did not observe the samebehaviour there currently exists no public jailbreak for these iOSversions and similar investigations as ours are therefore not (yet)possible on these iOS versions There is a possibility that the issuehas been fixed on iOS 15 or higher or that we did not pick up thesame behaviour in our small-scale testing (about 10 apps instead ofmore than 1000) However Apple did not provide further details tous

Analysing the top 20 most commonly contacted domains wecould confirm that installation-specific identifiers (see column lsquoUserIDrsquo) are commonly collected alongside further device-specific in-formation see Table 1 While these installation-specific identifiersare usually randomly generated at the first app start large tracking

companies can likely still use these identifiers to build profiles ofan app userrsquos journey across apps using their server-side code tolink different identifiers together (eg through the userrsquos IP addressother device information and first-party data) Companies alsoreceive information about a userrsquos locale (ie the display language)the device model and the OS version Such information can beused to disambiguate different users connecting from the sameIP address (eg households sharing the same Wi-Fi router) ndash andeven across different IP addresses through the use of additionalfirst-party data that large tracking companies hold

Table 1 does not include all the different kinds of informationthat we observed being sent to tracking domains because the kindsof information varied between companies For example Googleassigned an android_id to an iOS app upon first contact with thecompany that was then used for all subsequent communicationwithGooglersquos API endpoints This identifier differed between apps anddid not seem to be used for cross-app tracking on-device (it mightbe on Googlersquos servers) When contacting the domain googleadsgdoubleclicknet Google collected the current system volumeand the status of the silencing button As already described abovecaiadsdkapplecom collected a purchaseTimestamp that canbe used to identify the user and is not accessible for other appdevelopers The domain gsp64-ssllsapplecom belonging toApplersquos location services even collected the IP address and portthat we used for proxying the network traffic through mitmdumpas part of our analysis We did not observe any other domains thathad access to this information underlining Applersquos privileged dataaccess Crucially for many of the observed transmissions betweenapps and servers we could not even determine what data was sentdue to use of encryption [37] and closed-source communicationprotocols

System-Level Tracking by Apple We found that iPhones ex-changed a range of unique user identifiers directly with Applesee Figure 9 in the Appendix We observed that network requestswhich included various unique user identifiers and other personal

0 20 40Apps ()

BranchBaiduFlurry

Microsoft Visual Studio App CenterTwitter MoPub

BuglyJiGuang Aurora Mobile JPush

Google Tag ManagerUmeng+

Google AdMobGoogle Analytics

FacebookGoogle CrashLytics

Google Firebase AnalyticsSKAdNetwork

Figure 6 Top tracking libraries in apps that claim in theirPrivacy Nutrition Labels not to collect any data

data were issued following the interaction with apps and connectedto Applersquos App Store and advertising technologies While this doesnot allow user-level apps to gain access to these user identifiersApple itself can use these identifiers to enrich its own advertisingservices Indeed Apple claims in its privacy policy that it may useusersrsquo interactions with its advertising platform and with the AppStore to group users into segments (of at least 5000 individuals)and show adverts to these groups [2] Specifically we found thatthe App Store collected the UDID the serial number of the devicethe DSID (an identifier linked to a userrsquos Apple account) and apurchaseTimestamp All of these identifiers can be used by Appleto single out individual users Crucially the UDID has been inac-cessible to app developers other than Apple since 2013 [53] butApple continues to have access to this identifier Moreover Applecollects the serial number which cannot be changed and is linkedto a userrsquos iPhone This might be unexpected for some users Thesefindings are in-line with previous reports that both Google and Ap-ple collect detailed information about their users as part of regulardevice usage [36]

44 Disclosure of Tracking in Privacy NutritionLabels

We now consider whether and to what extent apps (from after theintroduction of iOS 14) disclose their tracking activities in theirPrivacy Nutrition Labels

Among the studied apps 222 claimed that they would notcollect any data from the user This was often not true as shownin Figure 6 802 of these apps actually contained at least onetracker library (compared to 931 for apps that did disclose somedata sharing) and 686 sent data to at least one known trackingdomain right at the first app start (compared to 914) On averageapps that claimed not to collect data contained 18 tracking libraries(compared to 43) and contacted 25 tracking companies (comparedto 42) Among the 222 of apps claiming not to collect data only 3

were in theApp Store charts As noticed above (see Table 1) trackinglibraries usually create a unique user identifier Among the apps thatused the SKAdNetwork 420 disclosed their access to a lsquoUser IDrsquo422 of apps using Google Firebase Analytics 482 of apps usingGoogle Crashlytics and 532 of apps using the Facebook SDK632 of apps using Google Firebase Analytics disclosed that theycollected any data about lsquoProduct Interactionrsquo or lsquoOther Usage Datarsquoand about 70 of apps using the Facebook SDK Google Analyticsor Google Tag Manager Additionally apps can disclose their useof lsquoAdvertising Datarsquo 275 of apps with the SKAdNetwork did so660 of apps with Google AdMob 809 of apps with Unity3d Adsand 454 apps with AppsFlyer

All of this points to notable discrepancies between appsrsquo dis-closed and actual data practices App developers might be able toaddress this but are often not fully aware of all the data that is col-lected through third-party tracking software [13 39] ConverselyApple itself might be able to reduce this discrepancy through in-creased use of automated code analysis in particular applied tothird-party tracking software

5 DISCUSSIONTracking continues and reinforces the power of gatekeep-ers and opacity of the mobile data ecosystem Our findingssuggest that tracking companies especially larger ones with accessto large troves of first-party data can still track users behind thescenes They can do this through a range of methods includingusing IP addresses to link installation-specific IDs across apps andthrough the sign-in functionality provided by individual apps (egGoogle or Facebook sign-in or email address) Especially in com-bination with further user and device characteristics which ourdata confirmed are still widely collected by tracking companiesit would be possible to analyse user behaviour across apps andwebsites (ie fingerprinting and cohort tracking) A direct result ofthe ATT could therefore be that existing power imbalances in thedigital tracking ecosystem get reinforced

We even found a real-world example of Umeng a subsidiary ofthe Chinese tech company Alibaba using their server-side code toprovide apps with a fingerprinting-derived cross-app identifier seeFigure 8 in the Appendix The use of fingerprinting is in violationof Applersquos policies [3] and raises questions around the extent towhich Apple can enforce its policies against server-side code ATTmight ultimately encourage a shift of tracking technologies be-hind the scenes so that they are outside of Applersquos reach In otherwords Applersquos new rules might lead to even less transparencyaround tracking than we currently have including for academicresearchers

Privacy Nutrition Labels can be inaccurate and mislead-ing and have so far not changed data practices Our resultssuggest that there is a discrepancy between appsrsquo disclosed (in theirPrivacy Nutrition Labels) and actual data practices We observedthat many (mostly less popular) apps gave incomplete informationor falsely declared not to collect any data at all These observa-tions are not necessarily to blame on app developers who oftenhave no idea of how third-party libraries handle usersrsquo personaldata [13 33 39] As reported in Section 411 the proportion of appdevelopers that make use of data-minimising settings of popular

tracker libraries has roughly doubled but these developers stillremain a small minority The Privacy Nutrition Labels have not(yet) had an impact on developersrsquo actual practices at large butmight do so in the long run by both increasing app usersrsquo privacyexpectations and making app developers rethink their privacy prac-tices [29 30] As they stand the labels can be misleading and createa false sense of security for consumers

Are the most egregious and opaque trackers tamed nowThe reduced access to permanent user identifiers through ATTcould substantially improve app privacy While in the short runsome companies might try to replace the IDFA with statistical iden-tifiers the reduced access to non-probabilistic cross-app identifiersmight make it very hard for data brokers and other smaller trackercompanies to compete Techniques like fingerprinting and cohorttracking may end up not being competitive enough compared tomore privacy-preserving on-device solutions We are already see-ing a shift of the advertising industry towards the adoption ofsuch solutions driven by decisions of platform gatekeepers (egGooglersquos FloC Topics API and Android Privacy Sandbox ApplersquosATT and Privacy Nutrition Labels) [17 34] though more discus-sion is needed around the effectiveness of these privacy-protectingtechnologies The net result however of this shift towards moreprivacy-preserving methods is likely going to be more concentra-tion with the existing platform gatekeepers as the early reports onthe tripled marketing share of Apple [16] the planned overhaul ofadvertising technologies by FacebookMeta and others [17] and theshifting spending patterns of advertisers suggest [18] Advertisingto iOS users ndash being some of the wealthiest individuals ndash will bean opportunity that many advertisers cannot miss out on and sothey will rely on the advertising technologies of the larger techcompanies to continue targeting the right audiences with their ads

Failure of GDPR enforcement and power of platformsApplersquos new rules should not have a dramatic effect on the trackingof users in the EU and UK given that existing data protection lawsin these jurisdictions already banmost forms of third-party trackingwithout user consent [33 43] While there was vocal outcry overApplersquos new privacy measures by advertisers the adtech indus-try was aware of tightened EU and UK data protection rules sinceApril 2016 and had plenty of time to work out a way to ensurecompliance with basic provisions of the GDPR until May 2018including the need to seek consent from users before engaging intracking [33] Broad empirical evidence from this and other piecesof research [32 33 35 45 48 62] suggests that appsrsquo compliancewith the GDPR is somewhat limited

At the same time it is worrying that a few changes by a privatecompany (Apple) seem to have changed data protection in appsmore than many years of high-level discussion and efforts by regu-lators policymakers and others This highlights the relative powerof these gatekeeper companies and the failure of regulators thus farto enforce the GDPR adequately An effective approach to increasecompliance with data protection law and privacy protections inpractice might be more targeted regulation of the gatekeepers ofthe app ecosystem so far there exists no targeted regulation in theUS UK and EU (see Section 22)

Applersquos Double Standards I Making and Enforcing AppStore Policies Our analysis shows that Apple has a competitiveadvantage within the iOS ecosystem in various ways First it both

makes the rules for the App Store and interprets them in practiceThis is reflected in Applersquos definition of tracking which ostensiblyexempts its own advertising technology [2] lsquoTracking refers to theact of linking user or device data collected from your app with useror device data collected from other companiesrsquo apps websites oroffline properties for targeted advertising or advertising measurementpurposes Tracking also refers to sharing user or device data withdata brokersrsquo (emphasis added) [3] In other words for tracking tofall under Applersquos definition it must fulfil three conditions or bedone by a data broker

Applersquos definition hinges on a distinction between first-partyand third-party data collection when this is not usually the rootof privacy problems This is why the W3C defines tracking aslsquothe collection of data regarding a particular userrsquos activity acrossmultiple distinct contexts and the retention use or sharing ofdata derived from that activity outside the context in which itoccurredrsquo [58] Rather than companies this definition is centredaround different contexts as is commonly sought to be protectedin privacy theory (eg contextual integrity [44]) and in privacyand data protection law (eg purpose limitation under Article 5 ofthe GDPR) Applersquos definition of tracking might both betray theexpectation of consumers who expect that tracking would stop(when first-party tracking notably by Apple itself continues to beallowed) and motivate other companies to consolidate and joinforces leading to increased market concentration

Apple additionally foresees a list of exempt practices [3] (seeFigure 7 in the Appendix for an excerpt) These include lsquofrauddetection fraud prevention or security purposesrsquo which might beinterpreted extremely broadly by tracking companies The exemptpractices further allow tracking by a lsquoconsumer reporting agencyrsquoThe term lsquoconsumer reporting agencyrsquo is defined in the US FairCredit Reporting Act (FCRA) regulating the relationship betweenthese agencies and other lsquofurnishers of informationrsquo relating toconsumers By explicitly exempting credit scoring Apple mighttry to avoid liability and it might not have much choice undercurrent US law The exemption of credit scoring is nonethelessproblematic because the use of personal data for credit scoringcan have disproportionate impacts on individuals and might beprotected by other data protection and privacy laws This mightcreate the (false) impression for some app developers that otherlegal conditions do not apply and a false sense of security for manyconsumers

ApplersquosDouble Standards II Access toDataBeing themakerof the iOS ecosystem Apple has a certain competitive advantageby being able to collect device and user data including hardwareidentifiers that other app developers do not have access to and usethis for its own business purposes For example by collecting thedevicersquos serial number regularly Apple can accurately tie the point-of-sale of its devices to activities on the device itself and track thedevice lifecycle in great detail Some of Applersquos own apps includingthe App Store itself have access to this information because theyare not distributed via the App Store and hence do not fall underthe rules governing the App Store including those that relate totracking of users These observations support the known concernsaround fair competition in the App Store

51 LimitationsA few limitations of our study are worth noting First for practicalreasons we were not able to analyse all the apps in the App Storeonly a reasonably large subset of free apps in the App Storersquos UKregion Furthermore for the purposes of examining the effect ofATT we only focused on apps that already existed on the AppStore before iOS 14 ndash newly released apps may adopt differentstrategies Regarding our analysis methods our instruments are alsopotentially limited in several ways The results of our static analysismust be interpreted with care since not all code shipped in an appwill necessarily be invoked in practice We may have overestimatedtracking in certain contexts eg if tracking code was included butnot used In our network analysis we performed this off-devicemeaning that all device traffic was analysed in aggregate The riskhere is that we may wrongly attribute some communications to anapp that in fact was generated by some other app or subsystem onthe device To minimise this risk we uninstalled all pre-installedapps and ensured no apps were running in the background Wealso used jailbreaking (ie gained full system access by exploiting avulnerability in the iOS operating system) to circumvent certificatevalidation which might make some apps alter their behaviour Inall parts of our analysis we consider all apps equally regardlessof popularity [7] and usage time [55] both of which can impactuser privacy Likewise we treat all tracking domains libraries andcompanies equally though they might pose different risks to users

6 CONCLUSIONS amp FUTUREWORKOverall we find that Applersquos new policies largely live up to itspromises on making tracking more difficult Tracking libraries can-not access the IDFA anymore and this directly impacts the businessof data brokers These data brokers can pose significant risks toindividuals since they try to amass data about individuals from awide range of contexts and sell this information to third-parties Atthe same time apps still widely use tracking technology of largecompanies and send a range of user and device characteristics overthe Internet for the purposes of cohort tracking and user finger-printing We found real-world evidence of apps computing a mutualfingerprinting-derived identifier through the use of server-side code(see Section 432 and Figure 8 in the Appendix) ndash a violation ofApplersquos new policies [3] highlighting limits of Applersquos enforce-ment power as a privately-owned data protection regulator [23 54]Indeed Apple itself engages in some forms of user tracking (seeSection 432 and Figure 9) and exempts invasive data practices likefirst-party tracking and credit scoring from its definition of track-ing Lastly we found the Privacy Nutrition Labels to be sometimesincomplete and inaccurate especially in less popular apps (Section44)

Applersquos privacy changes have led to positive improvements foruser privacy However we also found various aspects that are inconflict with Applersquos marketing claims and might go against usersrsquoreasonable privacy expectations eg that the new opt-in trackingprompts would stop all tracking that the new Privacy NutritionLabels would always be correct and be verified by Apple or thatApple would be subject to the same restrictions to data access andprivacy rules as other companies There is a risk that individualswill develop even more resignation over the use of their data online

if they are provided with with misleading or ineffective privacysolutions [10 49] This resignation could in the long run undermineprivacy efforts and adversely affect fundamental rights such as therights to data protection and privacy

Despite positive developments over the recent months and yearsespecially through initiatives by Apple there is still some way togo for app privacy Violations of various aspects of data protectionand privacy laws remain widespread in apps [32 33 35 45 48 62]while enforcement of existing data protection laws against suchpractices stays sporadic Applersquos privacy efforts are hampered byits closed-source philosophy on iOS and the opacity around theenforcement of its App Store review policies To strengthen iOSprivacy Apple has already started to prevent IP-based trackingby routing traffic to trackers via its own servers when using theiOS browser (lsquoPrivacy Relayrsquo) As a direct response to our findingsApple could consider extending the Privacy Relay to trackingwithinapps thereby making the tracking of users through their IP addressmore difficult [41] However this would also further extend Applersquosreach over the iOS ecosystem and potentially allow the companyto track users even more accurately

More generally the key decision makers with regards to privacytechnologies must establish robust transparency and accountabilitymeasures that allow for independent assessment of any privacyguarantees and promises This is especially true given the currentlack of targeted regulations for app platforms like Google Play andthe Apple App Store (see Section 22) In the case of Apple improvedtransparency measures must necessarily involve the phasing outof encryption of free iOS apps by default which currently forcesindependent privacy researchers into legal grey areas and severelyhampers such research efforts (see Section 21) This is why mostprevious privacy research focused on Android and the last large-scale privacy study into iOS apps had been conducted in 2013 [1]until the recent release of the method used in this study [35]

We conclude that the new changes by Apple have traded moreprivacy for more concentration of data collection with fewer techcompanies Stricter privacy rules may encourage even less trans-parency around app tracking by shifting tracking code onto theservers of dominant tracking companies Despite the new ruleslarge companies like GoogleAlphabet and FacebookMeta are stillable to track users across apps because these companies have ac-cess to unique amounts of first-party data about users Apple is nowable to track its customers even more accurately by taking a largershare in advertising technologies and getting unique access to useridentifiers including the device serial number This underlines thatprivacy and competition problems can be highly intertwined indigital markets and need holistic study

Future work In this work we only analysed apps that werealready present on the App Store before iOS 14 and the ATT itwould be interesting to analyse how the ATT has impacted theprivacy properties of newly released apps on the App Store It wouldalso be helpful to develop a new automation tool for iOS apps toobserve appsrsquo data practices automatically even beyond the firstapp start ndash as studied in this paper It would be pertinent to studyuser tracking by platforms in more detail and also how the PrivacyNutrition Labels inform individuals around app privacy

ACKNOWLEDGMENTSWe thank Jake Stein and Alexander Fanta for helpful commentsand Ulrik Lyngs for help with data analysis Konrad Kollnig wasfunded by the UK Engineering and Physical Sciences ResearchCouncil (EPSRC) under grant number EPR5132951 Max Van Kleekhas been supported by the PETRAS National Centre of Excellencefor IoT Systems Cybersecurity which has been funded by the UKEPSRC under grant number EPS0353621 Max Van Kleek ReubenBinns and Nigel Shadbolt have been supported by the OxfordMartin School EWADA Programme

REFERENCES[1] Yuvraj Agarwal and Malcolm Hall 2013 ProtectMyPrivacy Detecting and

Mitigating Privacy Leaks on iOS Devices Using Crowdsourcing In Proceedingof the 11th Annual International Conference on Mobile Systems Applications andServices - MobiSys rsquo13 ACM Press Taipei Taiwan 97 httpsdoiorg10114524624562464460

[2] Apple 2021 Apple Advertising amp Privacy httpswwwapplecomlegalprivacydataenapple-advertising

[3] Apple 2021 User Privacy and Data Use httpsdeveloperapplecomapp-storeuser-privacy-and-data-use

[4] AppsFlyer 2021 Initial data indicates ATT opt-in rates are much higher thananticipated mdash at least 41 httpswwwappsflyercomblogtrends-insightsatt-opt-in-rates-higher

[5] Authority for Consumers and Markets 2022 ACM obliges Apple to adjustunreasonable conditions for its App Store httpswwwacmnlenpublicationsacm-obliges-apple-adjust-unreasonable-conditions-its-app-store

[6] Reuben Binns Ulrik Lyngs Max Van Kleek Jun Zhao Timothy Libert and NigelShadbolt 2018 Third Party Tracking in the Mobile Ecosystem In Proceedings ofthe 10th ACM Conference on Web Science - WebSci rsquo18 (Amsterdam Netherlands)ACM Press New York NY USA 23ndash31 httpsdoiorg10114532010643201089

[7] Reuben Binns Jun Zhao Max Van Kleek and Nigel Shadbolt 2018 MeasuringThird-party Tracker Power across Web and Mobile ACM Transactions on InternetTechnology 18 4 (2018) 1ndash22 httpsdoiorg1011453176246

[8] Lee A Bygrave 2017 Data Protection by Design and by Default Decipheringthe EUrsquos Legislative Requirements Oslo Law Review 1 (2017) 105ndash120 httpsdoiorg1018261issn2387-3299-2017-02-03

[9] Kai Chen Xueqiang Wang Yi Chen Peng Wang Yeonjoon Lee XiaoFeng WangBin Ma Aohui Wang Yingjun Zhang and Wei Zou 2016 Following DevilrsquosFootprints Cross-Platform Analysis of Potentially Harmful Libraries on Androidand iOS In 2016 IEEE Symposium on Security and Privacy (SP) IEEE San JoseCA 357ndash376 httpsdoiorg101109SP201629

[10] Jessica Colnago Yuanyuan Feng Tharangini Palanivel Sarah Pearman MeganUng Alessandro Acquisti Lorrie Faith Cranor and Norman Sadeh 2020 Inform-ing the Design of a Personalized Privacy Assistant for the Internet of Things InProceedings of the 2020 CHI Conference on Human Factors in Computing SystemsACM Honolulu HI USA 1ndash13 httpsdoiorg10114533138313376389

[11] Datenschutzkonferenz 2021 Orientierungshilfe Der Aufsichtsbehoumlrden FuumlrAnbieter von Telemedien

[12] Manuel Egele Christopher Kruegel Engin Kirda and Giovanni Vigna 2011 PiOSDetecting Privacy Leaks in iOS Applications In Proceedings of the Network andDistributed System Security Symposium (NDSS) 2011 The Internet Society SanDiego California 15 pages

[13] Anirudh Ekambaranathan Jun Zhao and Max Van Kleek 2021 ldquoMoney makesthe world go aroundrdquo Identifying Barriers to Better Privacy in Childrenrsquos AppsFrom Developersrsquo Perspectives In Conference on Human Factors in ComputingSystems (CHI rsquo21) (Yokohama Japan 2021) ACM Press NY USA 1ndash24 httpsdoiorg10114534117643445599

[14] William Enck Peter Gilbert Byung-Gon Chun Landon P Cox Jaeyeon JungPatrick McDaniel and Anmol N Sheth 2010 TaintDroid An Information-FlowTracking System for Realtime PrivacyMonitoring on Smartphones In Proceedingsof the 9th USENIX Conference on Operating Systems Design and Implementation(OSDIrsquo10) USENIX Association Vancouver BC 393ndash407

[15] Federal Trade Commission 2013 Mobile Privacy DisclosuresndashBuilding TrustThrough Transparency httpswwwftcgovsitesdefaultfilesdocumentsreportsmobile-privacy-disclosures-building-trust-through-transparency-federal-trade-commission-staff-report130201mobileprivacyreportpdf

[16] Financial Times 2021 Alphabet and Microsoft smash estimates with $110bn rev-enue haul httpswwwftcomcontent273aeecb-57a8-40f8-a2ba-8a21a635b289

[17] Financial Times 2021 Apple reaches quiet truce over iPhone privacy changeshttpswwwftcomcontent69396795-f6e1-4624-95d8-121e4e5d7839

[18] Financial Times 2021 Applersquos privacy changes create windfall for its ownadvertising business httpswwwftcomcontent074b881f-a931-4986-888e-

2ac53e286b9d[19] Financial Times 2021 Chinarsquos tech giants test way around Applersquos new privacy

rules httpswwwftcomcontent520ccdae-202f-45f9-a516-5cbe08361c34[20] Financial Times 2021 Snap Facebook Twitter and YouTube lose nearly $10bn

after iPhone privacy changes httpswwwftcomcontent4c19e387-ee1a-41d8-8dd2-bc6c302ee58e

[21] Flurry 2021 iOS 145 Opt-in Rate - Daily Updates Since Launchhttpswwwflurrycomblogios-14-5-opt-in-rate-att-restricted-app-tracking-transparency-worldwide-us-daily-latest-update

[22] Frida [n d] Frida A world-class dynamic instrumentation framework httpsfridare

[23] Daniel Greene and Katie Shilton 2018 Platform privacies Governance collabo-ration and the different meanings of ldquoprivacyrdquo in iOS and Android developmentNew Media ampamp Society 20 4 (2018) 1640ndash1657 httpsdoiorg1011771461444817702397

[24] Catherine Han Irwin Reyes Amit Elazari Joel Reardon Alvaro Feal Kenneth ABamberger Serge Egelman and Narseo Vallina-Rodriguez 2019 Do You GetWhat You Pay For Comparing The Privacy Behaviors of Free vs Paid Apps InThe Workshop on Technology and Consumer Protection (ConPro rsquo19) Institute ofElectrical and Electronics Engineers NY USA 7 pages

[25] Catherine Han Irwin Reyes Aacutelvaro Feal Joel Reardon PrimalWijesekera NarseoVallina-Rodriguez Amit Elazari Kenneth A Bamberger and Serge Egelman 2020The Price is (Not) Right Comparing Privacy in Free and Paid Apps Proceedingson Privacy Enhancing Technologies 2020 3 (2020) 222ndash242 httpsdoiorg102478popets-2020-0050

[26] Jin Han Qiang Yan Debin Gao Jianying Zhou and Robert H Deng 2013 Com-paring Mobile Privacy Protection through Cross-Platform Applications In Pro-ceedings 2013 Network and Distributed System Security Symposium (San DiegoCA) Internet Society 16

[27] International Association of Privacy Professionals 2021 Applersquos ATT rolloutpresents uncertain path for adtech httpsiapporgnewsaapples-att-rollout-presents-uncertain-path-for-adtech

[28] Lina Jasmontaite Irene Kamara Gabriela Zanfir-Fortuna and S Leucci 2018Data Protection by Design and by Default Framing Guiding Principles into LegalObligations in the GDPR European Data Protection Law Review 4 (2018) 168ndash189httpsdoiorg1021552edpl201827

[29] Patrick Gage Kelley Joanna Bresee Lorrie Faith Cranor and Robert W Reeder2009 A Nutrition Label for Privacy In Proceedings of the 5th Symposium onUsable Privacy and Security - SOUPS rsquo09 (Mountain View California 2009) ACMPress 1 httpsdoiorg10114515725321572538

[30] Patrick Gage Kelley Lucian Cesca Joanna Bresee and Lorrie Faith Cranor 2010Standardizing Privacy Notices An Online Study of the Nutrition Label ApproachIn Proceedings of the SIGCHI Conference on Human Factors in Computing Systems(Atlanta Georgia USA) (CHI rsquo10) Association for Computing Machinery NewYork NY USA 1573ndash1582 httpsdoiorg10114517533261753561

[31] Reinhold Kesler 2022 The Impact of Applersquos App Tracking Transparency onApp Monetization Work in Progress (2022) 22 pages

[32] Konrad Kollnig 2019 Tracking in Appsrsquo Privacy Policies arXiv preprintarXiv211107860 (2019) 10 pages arXiv211107860 [cs] httparxivorgabs211107860

[33] Konrad Kollnig Reuben Binns Pierre Dewitte Max Van Kleek Ge Wang DanielOmeiza Helena Webb and Nigel Shadbolt 2021 A Fait Accompli An Empiri-cal Study into the Absence of Consent to Third-Party Tracking in Android AppsProceedings of the Seventeenth Symposium on Usable Privacy and Security (2021)

[34] Konrad Kollnig Reuben Binns Max Van Kleek Ulrik Lyngs Jun Zhao ClaudineTinsman and Nigel Shadbolt 2021 Before and after GDPR Tracking in MobileApps 10 4 (2021) 30 pages httpsdoiorg1014763202141611

[35] Konrad Kollnig Anastasia Shuba Reuben Binns Max Van Kleek and NigelShadbolt 2022 Are iPhones Really Better for Privacy A Comparative Study ofiOS and Android Apps Proceedings on Privacy Enhancing Technologies 2022 2(2022) 6ndash24 httpsdoiorg102478popets-2022-0033

[36] Douglas J Leith 2021 Mobile Handset Privacy Measuring The Data iOS andAndroid Send to Apple And Google (2021) 10

[37] Lockdown Privacy 2021 Study Effectiveness of Applersquos App Tracking Trans-parency httpsbloglockdownprivacycom20210922study-effectiveness-of-apples-app-tracking-transparencyhtml

[38] Aleecia M McDonald and Lorrie Faith Cranor 2008 The Cost of Reading PrivacyPolicies IS A Journal of Law and Policy for the Information Society (2008) 26

[39] AbrahamHMhaidli Yixin Zou and Florian Schaub 2019 ldquoWe Canrsquot LiveWithoutThemrdquo App Developersrsquo Adoption of Ad Networks and Their Considerations ofConsumer Risks Proceedings of the Fifteenth Symposium on Usable Privacy andSecurity (2019) 21

[40] Mobile Dev Memo 2021 ATT advantages Applersquos ad network Herersquos how tofix that httpsmobiledevmemocomatt-advantages-apples-ad-network-heres-how-to-fix-that

[41] Mobile Dev Memo 2021 Why isnrsquot Apple policing mobile ads finger-printing httpsmobiledevmemocomwhy-isnt-apple-policing-mobile-ads-

fingerprinting[42] Trung Tin Nguyen Michael Backes Ninja Marnau and Ben Stock 2021 Share

First Ask Later (or Never) Studying Violations of GDPRrsquos Explicit Consent inAndroid Apps In 30th USENIX Security Symposium (USENIX Security 21) USENIXAssociation 3667ndash3684 httpswwwusenixorgconferenceusenixsecurity21presentationnguyen

[43] Trung Tin Nguyen Michael Backes Ninja Marnau and Ben Stock 2021 ShareFirst Ask Later (or Never) Studying Violations of GDPRrsquos Explicit Consent inAndroid Apps In 30th USENIX Security Symposium (USENIX Security 21) USENIXAssociation 3667ndash3684 httpswwwusenixorgconferenceusenixsecurity21presentationnguyen

[44] Helen Nissenbaum 2004 Privacy as Contextual Integrity Washington LawReview 79 (2004) 39

[45] Ehimare Okoyomon Nikita Samarin Primal Wijesekera Amit Elazari NarseoVallina-Rodriguez Irwin Reyes Alvaro Feal and Serge Egelman 2019 On TheRidiculousness of Notice and Consent Contradictions in App Privacy PoliciesTheWorkshop on Technology and Consumer Protection (ConPro rsquo19) (2019) 7 pages

[46] Jingjing Ren Ashwin Rao Martina Lindorfer Arnaud Legout and David Choffnes2016 ReCon Revealing and Controlling PII Leaks in Mobile Network TrafficIn Proceedings of the 14th Annual International Conference on Mobile SystemsApplications and Services - MobiSys rsquo16 ACM Press Singapore Singapore 361ndash374 httpsdoiorg10114529063882906392

[47] Reuters Reteuers SKorea targets Apple over new app store regula-tion httpswwwreuterscomtechnologyskorea-targets-apple-over-new-app-store-regulation-2021-10-15

[48] Irwin Reyes Primal Wijesekera Joel Reardon Amit Elazari Bar On AbbasRazaghpanah Narseo Vallina-Rodriguez and Serge Egelman 2018 ldquoWonrsquotSomebody Think of the Childrenrdquo Examining COPPA Compliance at ScaleProceedings on Privacy Enhancing Technologies 2018 3 (2018) 63ndash83 httpsdoiorg101515popets-2018-0021

[49] Irina Shklovski Scott D Mainwaring Halla Hrund Skuacuteladoacutettir and HoumlskuldurBorgthorsson 2014 Leakiness and Creepiness in App Space Perceptions ofPrivacy and Mobile App Use In Proceedings of the 32nd Annual ACM Conferenceon Human Factors in Computing Systems - CHI rsquo14 (Toronto Ontario Canada)ACM Press 2347ndash2356 httpsdoiorg10114525562882557421

[50] Anastasia Shuba and Athina Markopoulou 2020 NoMoATS Towards AutomaticDetection of Mobile Tracking Proceedings on Privacy Enhancing Technologies2020 2 (2020) 45ndash66 httpsdoiorg102478popets-2020-0017

[51] Anastasia Shuba Athina Markopoulou and Zubair Shafiq 2018 NoMoAdsEffective and Efficient Cross-App Mobile Ad-Blocking In Proceedings on PrivacyEnhancing Technologies 2018 125ndash140 httpsdoiorg101515popets-2018-0035

[52] Yihang Song and Urs Hengartner 2015 PrivacyGuard A VPN-based Platform toDetect Information Leakage on Android Devices In Proceedings of the 5th AnnualACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices(SPSM rsquo15) 15ndash26 httpsdoiorg10114528081172808120

[53] The Verge 2013 Apple to finally stop accepting apps that use outdated UDID de-vice identifier on May 1st httpswwwthevergecom20133214133288apple-to-finally-stop-accepting-apps-that-use-outdated-udid-device-identifier-may-1st

[54] Joris van Hoboken and R O Fathaigh 2021 Smartphone platforms as privacyregulators Computer Law amp Security Review 41 (2021) 105557 httpsdoiorg101016jclsr2021105557

[55] Max Van Kleek Reuben Binns Jun Zhao Adam Slack Sauyon Lee Dean Ottewelland Nigel Shadbolt 2018 X-Ray Refine Supporting the Exploration and Refine-ment of Information Exposure Resulting from Smartphone Apps In Proceedings ofthe 2018 CHI Conference on Human Factors in Computing Systems - CHI rsquo18 (Mon-treal QC Canada) ACM Press 1ndash13 httpsdoiorg10114531735743173967

[56] Max Van Kleek Ilaria Liccardi Reuben Binns Jun Zhao Daniel J Weitzner andNigel Shadbolt 2017 Better the Devil You Know Exposing the Data SharingPractices of Smartphone Apps In Proceedings of the 2017 CHI Conference onHuman Factors in Computing Systems - CHI rsquo17 ACM Press 5208ndash5220 httpsdoiorg10114530254533025556

[57] Nicolas Viennot Edward Garcia and Jason Nieh 2014 A Measurement Studyof Google Play In The 2014 ACM International Conference on Measurement andModeling of Computer Systems (SIGMETRICS rsquo14) 221ndash233 httpsdoiorg10114525919712592003

[58] W3C Working Group 2019 Tracking Compliance and Scope httpswwww3orgTRtracking-compliancetracking

[59] Haoyu Wang Zhe Liu Jingyue Liang Narseo Vallina-Rodriguez Yao Guo LiLi Juan Tapiador Jingcun Cao and Guoai Xu 2018 Beyond Google Play ALarge-Scale Comparative Study of Chinese Android App Markets In Proceedingsof the Internet Measurement Conference 2018 (IMC rsquo18) 293ndash307 httpsdoiorg10114532785323278558

[60] Washington Post 2021 I checked Applersquos new privacy lsquonutrition labelsrsquo Manywere false httpswwwwashingtonpostcomtechnology20210129apple-privacy-nutrition-label

[61] Washington Post 2021 When you lsquoAsk app not to trackrsquo some iPhone apps keepsnooping anyway httpswwwwashingtonpostcomtechnology20210923

iphone-tracking[62] Sebastian Zimmeck Peter Story Daniel Smullen Abhilasha Ravichander Ziqi

Wang Joel Reidenberg N Cameron Russell and Norman Sadeh 2019 MAPSScaling Privacy Compliance Analysis to a Million Apps Proceedings on PrivacyEnhancing Technologies 2019 3 (2019) 66ndash86 httpsdoiorg102478popets-2019-0037

[63] R Oacute Fathaigh and J van Hoboken 2019 European Regulation of SmartphoneEcosystems European Data Protection Law Review 5 4 (2019) 476ndash491 httpsdoiorg1021552edpl201946

APPENDIX

Figure 7 Applersquos definition of tracking Excerpt from Ap-plersquos exempt data practices including credit scoring fromrequiring user opt-in under ATT (emphasis added) [3] Wediscuss the limitations of Applersquos definition of tracking inSection 5

sdk_version 120 bundle_id [ Redacted]hw_model N69uAPkid [ Redacted]total_storage 30745123781 country GBzdata [ Redacted]app_version [ Redacted]app_name [ Redacted]sdk_type IOSstorage 14078912372 zdata_ver 110 source_id umengidfv 7EBDAFC8 -97BB -4FDB -B4D3 -E2F4EA040B8Ctimezone 1os_version 148 model iPhone8 4hostname MyPhoneappkey [ Redacted]idfa 00000000 -0000 -0000 -0000 -

000000000000

(a) Request Sending a range of device information to Umeng athttpsaaidumengcomapipostZdata

aaid BAEC362C -49FC -494B-B0A7 -175 D990B059D

(b) Response Umeng returns an identifier that is shared bymultipleapps and can be used for cross-app tracking

Figure 8 Fingerprinting in apps even after the ATT Thisis likely in violation of Applersquos new policies and the expec-tations of many end-users (personal data redacted) We pro-vide more results on the circumvention of the ATT in Sec-tion 432

ltplist version=10gtltdictgt

ltkeygtdsidltkeygtltstring gt[Apple ID]ltstring gtltkeygtguidltkeygtltstring gt[UDID]ltstring gtltkeygtserialNumber ltkeygtltstring gt[serial number]ltstring gt

ltdictgtltplistgt

(a) Request of Apple App Store to httpsbuyitunesapplecomWebObjectsMZFinancewoawarenewVppReceiptguid=[UDID]

attributionMetadataExistsOnDevice false toroId [ Redacted]purchaseTimestamp 2021 -11 -01 T15 1505ZadamId 477718890 attributionDownloadType 0developmentApp false anonymousDemandId [ Redacted]bundleId rukinopoiskattributionKey [ Redacted ]

(b) Request (shortended) of Applersquos advertising framework to httpscaiadsdkapplecomadserverattributionv2

Figure 9 Sharing of unique user identifiers with Apple (per-sonal data redacted) We explain more about the tracking ofusers by Apple in Section 432

Abstract

1 Introduction

2 Background

21 Related work

22 Regulation of App Platforms

3 Methodology

31 App Selection and Download

32 Code Analysis

33 Network Analysis

4 Results

41 Tracking Libraries

42 Data Access and Permissions

43 Data Sharing

44 Disclosure of Tracking in Privacy Nutrition Labels

5 Discussion

51 Limitations

6 Conclusions amp Future Work

Acknowledgments

References