For all of Apple’s talk about how private your iPhone is, the company vacuums up a lot of data about you. iPhones do have a privacy setting that is supposed to turn off that tracking. According to a new report by independent researchers, though, Apple collects extremely detailed information on you with its own apps even when you turn off tracking, an apparent direct contradiction of Apple’s own description of how the privacy protection works.
The iPhone Analytics setting makes an explicit promise. Turn it off, and Apple says that it will “disable the sharing of Device Analytics altogether.” However, Tommy Mysk and Talal Haj Bakry, two app developers and security researchers at the software company Mysk, took a look at the data collected by a number of Apple iPhone apps — the App Store, Apple Music, Apple TV, Books, and Stocks. They found the analytics control and other privacy settings had no obvious effect on Apple’s data collection — the tracking remained the same whether iPhone Analytics was switched on or off.
“The level of detail is shocking for a company like Apple,” Mysk told Gizmodo.
The recent changes that Apple has made to App Store ads should raise many #privacy concerns. It seems that the #AppStore app on iOS 14.6 sends every tap you make in the app to Apple.👇This data is sent in one request: (data usage & personalized ads are off)#CyberSecurity pic.twitter.com/1pYqdagi4e
— Mysk 🇨🇦🇩🇪 (@mysk_co) November 3, 2022
The App Store appeared to harvest information about everything single thing you did in real time, including what you tapped on, which apps you search for, what ads you saw, and how long you looked at a given app and how you found it. The app sent details about you and your your device as well, including ID numbers, what kind of phone you’re using, your screen resolution, your keyboard languages, how you’re connected to the internet — notably, the kind of information commonly used for device fingerprinting.
“Opting-out or switching the personalisation options off did not reduce the amount of detailed analytics that the app was sending,” Mysk said. “I switched all the possible options off, namely personalised ads, personalised recommendations, and sharing usage data and analytics.”
Apple did not respond to multiple requests for comment. We’ll update the story with any information the company provides.
Gizmodo requested that Mysk examine a few other Apple apps for comparison. The researchers said that the Health and Wallet apps, for example, didn’t transmit any analytics data with the iPhone Analytics setting off, but Apple Music, Apple TV, Books, the iTunes Store, and Stocks all did. Most of the apps that sent analytics data shared consistent ID numbers, which would allow Apple to track your activity across its services, the researchers found.
For example, the Stocks app sent Apple your list of watched stocks, the names stocks you viewed or searched for and time stamps for when you did it, as well as a record of any news articles you see in the app, according to the report. The information was sent to a web address labelled analytics, https://stocks-analytics-events.apple.com/analyticseventsv2/async. That transmission was separate from the iCloud communication necessary to sync your data across devices. Unlike the other apps, however, Stocks sent different ID numbers and far less detailed device information.
The researchers checked their work on two different devices. First, they used a jail broken iPhone running iOS 14.6, which allowed them to decrypt the traffic and examine exactly what data was being sent. Apple introduced App Tracking Transparency in iOS 14.5, cuing users to decide whether or not to give their data to individual apps with the prompt “Ask app not to track?”
The researchers also examined a regular iPhone running iOS 16, the latest operating system, which bolstered their findings. There is little reason to think that the jail broken phone would send different data, they said, but On iOS 16, they saw the same apps sending similar packets of data to the same Apple web addresses. The data was transmitted at the same times under the same circumstances, and turning the available privacy settings on and off likewise didn’t change anything. The researchers couldn’t examine exactly what data was sent because the phone’s encryption remained intact, but the similarities suggest this may be standard behaviour on the iPhone.
Keeping tabs on your behaviour rubs some people the wrong way, regardless of the information in question. But this data can be sensitive. In the App Store, for example, the fact that you’re looking at apps related to mental health, addiction, sexual orientation, and religion can reveal things that you might not want sent to corporate servers.
You can see what the data looks like for yourself in the video Mysk posted to Twitter, documenting the information collected by the App Store:
This isn’t an every-app-is-tracking-me-so-what’s-one-more situation. These findings are out of line with standard industry practices, Mysk says. He and his research partner ran similar tests in the past looking at analytics in Google Chrome and Microsoft Edge. In both of those apps, Mysk says the data isn’t sent when analytics settings are turned off.
Privacy is one of the main issues that Apple uses to set its products apart from competitors. It emblazoned 12.19 m billboards of the iPhone with the simple slogan “Privacy. That’s iPhone.” and ran the ads across the world for months. But the company is slowly introducing many of the internet’s privacy issues into the once sacrosanct Apple ecosystem. Apple is working hard to build an advertising empire. Apple’s ad network runs on your personal information just like the ones Google and Meta operate, albeit in a more reserved way.
Along the way, Apple developed a very convenient definition of what privacy means that lets the company criticise its rivals’ privacy practices while harvesting your data for similar purposes. Apple says you shouldn’t think of what it does as “tracking.” According to the company’s website:
Apple’s advertising platform does not track you, meaning that it does not link user or device data collected from our apps with user or device data collected from third parties for targeted advertising or advertising measurement purposes, and does not share user or device data with data brokers.
In other words, it’s not tracking unless you’re linking together data collected from services owned by different companies. If only one company — Apple — is collecting the data, then by Apple’s definition, it’s not tracking. Of course, that’s different from the definition of tracking that everyone else seems to use.
What happens on your iPhone stays on your iPhone, unless you count the mountains of information your iPhone sends to Apple.