Ahead of Consumer Electronics Show (CES) in Las Vegas earlier this January, Apple strategically placed a privacy-focused billboard bearing the catchphrase: βWhat happens on your iPhone, stays on your iPhone.β
Itβs a clever spin on the Vegas slogan, and a not-so-subtle dig at its data-hungry competitors. But it is also quite misleading.
As the Washington Post recently discovered, a lot of third-party iOS apps are abusing Background App Refresh to regularly send sensitive personal information to tracking companies. The feature allows apps to refresh their content by running periodically in the background.
What are the app trackers for?
Itβs no surprise that third-party apps use trackers to gather all sorts of analytics. But the frequency with which the apps send data back to tracking companies is quite alarming, as is the kind of data shared.
The π of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
Using Disconnectβs Privacy Pro app, the Washington Post found that apps were sending details like phone number, email, exact location, IP address, and more.
On a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11:43 p.m., a company called Amplitude learned my phone number, email and exact location. At 3:58 a.m., another called Appboy got a digital fingerprint of my phone. At 6:25 a.m., a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with.
The list of offending apps include: Microsoft OneDrive, Mint, Nike, Doordash, Spotify, Yelp, The Weather Channel, Citizen, and The Washington Postβs own iOS app.
Citizen was found to be sharing personally identifiable information that was in violation of its published privacy policy (it removed the tracker after the Washington Post contacted them), and Yelp was sending a message containing IP addresses every five minutes, a behavior the company later acknowledged was a bug.
In all, the Washington Post encountered over 5,400 trackers during a week-long testing.
Privacy concerns with app trackers
App trackers arenβt inherently bad. Some are used to diagnose app behavior to improve performance, while others analyze usage patterns to serve targeted ads.
DoorDashβs app, for example, was found using nine different trackers to gather details from your phone β device name, model, ad identifier, memory size, accelerometer data, delivery address, name, email, and cellular phone carrier β to help identify fraud.
It is also using trackers from Facebook and Google for ads, meaning the two companies know everytime you open the app.
To be fair, this behavior is not just about DoorDash alone. Using tracking information to tailor ads is the norm everywhere, but unfortunately not many people are aware that this is happening.
It also raises significant privacy concerns about how long these companies might store such information, and the third-parties they might be sharing this with.
Thereβs more work to be done
As we continue to spend more time on apps, it is becoming evident that app permissions and privacy policies alone arenβt enough. There needs to be tracking protection controls built into Android and iOS to ensure data collection and sharing practices are more transparent.
For now, itβs impossible to determine what trackers are used and for what purpose without downloading a third-party app like Disconnectβs Privacy Pro (iOS) or Exodus Privacy (Android). Another option is to turn off background app refresh on your iOS device by heading to: Settings > General > Background App Refresh > Off.
At a time when data breaches and privacy violations are so frequent, Apple has built a marketing strategy centred around privacy. Itβs not entirely wrong. But itβs also factually incorrect.
What Apple is really implying with the ad campaign is that the company treats your personal data with more respect than its rivals. It will not eavesdrop on your conversations. Appleβs Safari browser wonβt track you as you browse the web. And Apple wonβt use your identifiable information to serve ads.
However, iPhones leak all sorts of data, often without your knowledge. βWhat happens on your iPhone, stays on your iPhoneβ is likely to be the case only if you choose to live in an Apple-centric universe, surrounded by its ecosystem of apps and services.
And as we have just learnt, itβs simply an improbable scenario.
Get the TNW newsletter
Get the most important tech news in your inbox each week.