The Privacy Problems Lurking in Apple's App Store

Photo: Justin Sullivan (Getty)

A decade ago, privacy was declared “dead.” Now it’s risen as a global issue that governments, technologists, and consumers are fighting, often without fully understanding it. And when it comes to privacy, Apple’s App Store is one of the internet’s most important battlegrounds.

Apple’s Worldwide Developer Conference keynote on Monday had predictable moments and surprises, but the undercurrent of privacy ran through much of the event. That’s been true of every big Silicon Valley show recently: Under greater consumer and political pressure than ever, Google, Facebook, and Apple have all been spotlighting their privacy bona fides at every chance.

Advertisement

At the heart of Apple’s pitch is one of the company’s most important ad campaigns in years: “What happens on your iPhone, stays on your iPhone.

But is that true?

“No,” said Bennett Cyphers, a technologist with the Electronic Frontier Foundation. “There’s quite a bit of daylight between the way they talk versus a user’s experience.”

Advertisement

Apple effectively has dictatorial control over the App Store—and there are plenty of reasons to criticize its infamous walled garden. But this power means the company could go further in requiring third-party apps be more transparent about the data they collect and how that data is used and sold—data that Apple makes easier combine and sell through its own iOS design.

When you buy an iPhone—some of the most expensive phones on the planet, it’s always worth remembering—they do, almost across the board, provide better privacy protections than Android devices. The hardware and software from Apple is typically industry-leading on privacy. The complication comes when a person does something as predictable and inevitable as using the App Store to download third-party apps, which virtually everyone does.

Advertisement

The App Store may be at the center of a reported possible antitrust investigation into Apple by the U.S. government. What Apple does in its App Store could come under a powerful microscope in the coming months. We don’t yet know what Justice Department regulators will focus on, although the company’s behavior in its App Store and the fees it charges third-party app makers could be front and center, as they are in Spotify’s antitrust lawsuit against Apple in Europe.

Advertisement

The App Store’s strict rules and requirements demand that apps meet certain quality, security, and privacy standards. But so far, Apple has refrained from using its might to push for greater transparency around data collection and use. Instead, as it moves further into its services business, it’s embraced privacy as a primary selling point while allowing the competition to maintain their standard, subpar practices—to the detriment of our privacy but to the great benefit of the advertising industry.

“The marketing team has been really focused on privacy,” said Casey Oppenheim, CEO of privacy-focused app company Disconnect. “What happens on iPhone stays on your iPhone?’ From our perspective, that’s not really true.”

Advertisement

Apple did not respond to our request for comment.

Oppenheim’s company recently showed off research in which thousands of trackers hidden in apps regularly took stashes of data from iPhones while users weren’t even interacting with the apps.

Advertisement

“The typical iPhone has thousands of data requests regularly that most users have no insight into, no idea what’s happening behind their back,” Oppenheim said. “That contradicts the idea that what happens on your phone stays on your phone. Not only do they collect the types of apps you have installed—including extremely personal data, maybe they see you have a pregnancy app, religious app, weight loss app, or an app that reveals sexual orientation—but the apps constantly ping not just location data but also give app developers information on weight, potential health issues, gender, and other information.”

In Monday’s big keynote, Apple offered a handful of announcements that have real and meaningful privacy impact.

Advertisement

The new “sign in with Apple” feature offers a tracker-less alternative to the login options that apps and websites use from data-hungry beasts like Google and Facebook. Most interestingly, the feature offers a random address generator that allows you to more closely control who knows your email address. By giving a unique address to each signup, the feature also promises more transparency about who is selling your data and where it’s going.

One of the biggest privacy problems on smartphones is the number of apps that can know your location at all times. A newly announced iOS feature allows you to give an app your location once, when needed, and then require permission again the next time an app asks for it. Because location data is one of the most valuable types of data collected by app makers—never mind that it can be among the most sensitive data about a person, depending on the individual—this a real example of users being offered an up-front and meaningful option to strengthen their privacy.

Advertisement

The company also announced plans to limit, and in some cases cut off, tracking in kids’ apps. The privacy-bolstering development follows in the footsteps Google’s similar moves following a complaint to the Federal Trade Commission which accused the company of failing to follow child privacy laws.

Advertisement

“Apple doesn’t lie about their own interest in collecting data on users,” Cyphers said, “but they sure allow other people to collect a lot of data on users.”

Popular apps in the App Store are often filled to the brim with trackers from third parties—it’s often not from the app developer, it’s not from Apple, it’s certainly not from the users—but with no easy way stop the tracking or even know it’s happening. On desktop computers, there are tons of extensions and software available to see and stop tracking. And there are third-party iOS apps that provide some insight as well. But it’s still extremely difficult to see where your data is going.

Advertisement

“Apple should require developers to report all of the third parties included in their app and explain for what reason they’re including them so users can see the third parties in an interface before they install the app,” Cyphers said.

“As an iPhone user, what they need to do is give people a heads up,” Oppenheim said. “Steve Jobs said that privacy means people have to know what they’re signing up for. For Apple led by Tim Cook, that’s not the case with app tracking. People don’t know what they’re signing up for even if they read privacy policies—which they don’t. Apple should show up front who is doing the tracking and what data they’re taking.”

Advertisement

But would there be a backlash? Among the developers gathered for WWDC, there certainly could be. If there were fewer good free apps on the iPhone because it suddenly it became harder to vacuum up data and make money that way, it could potentially have a real impact on Apple’s bottom line. The idea of consumers buying a $1,000 phone and finding an App Store desert is a scary prospect for Cupertino.

“Apple has huge market share and is a huge leader,” Oppenheim said. “If they did something that required apps to disclose companies they’re partnered with on disclosing user data, it would force apps to get more rigorous about how they choose, and force data collectors to be more limited in who they share with what they collect.”

Advertisement

At the core of this data collection is Apple’s advertising identifier, a number assigned to each Apple device that’s accessible without permission and which is used to build profiles of users and all the apps they have on their phone. The option to turn it off exists but is buried deeply enough in iOS that it’s unlikely most users even know it’s there.

Advertisement

“This is what makes data valuable to the third-party data collectors,” Cyphers said. “It’s what lets them tie data from one app to an identity, which can be tied to a Facebook profile or an email address or a credit history. It’s the key that unlocks the ability for third-party data collectors to tie all this data to one person.”

Apple’s big WWDC kick-off included announcements about the software powering Mac, Apple Watch, Apple TV, iPad, and iPhone. After nearly every major beat, CEO Tim Cook and his lieutenants reiterated a core focus: Privacy, privacy, privacy.

Advertisement

Apple is a tech industry leader on privacy—not exactly a high bar to clear but important nevertheless. And it’s significant that Apple is offering its own apps and services with privacy front and center as it competes with other app developers with fewer scruples. Today, for instance, they announced a period-tracking app called Cycles that will likely put an end to a category of apps notorious for sketchy behavior.

Advertisement

But Apple’s devices are still a portal through which third parties collect so much data about us. We shouldn’t let them off the hook for the role they play—and the money they make—through that system.

Share This Story

About the author

Patrick Howell O'Neill

Reporter in Silicon Valley. Contact me: Email poneill@gizmodo.com, Signal +1-650-488-7247