
iPhone apps share data with trackers, ad companies and research firms - akeck
https://www.washingtonpost.com/technology/2019/05/28/its-middle-night-do-you-know-who-your-iphone-is-talking/
======
_bxg1
Wow. I'd diligently turned off background location for virtually everything,
but I had no idea so many apps did background refresh by default. Your IP
address is nearly as good as your GPS coordinates. (Edit: Maybe one's IP
address on a cellular connection doesn't matter as much as I thought. I just
did a check and it didn't even get my city correct.)

Possibly the most surprising thing is that, unlike all other permissions, iOS
didn't ask me directly before enabling background refresh. That's disturbing.

Also, while I sympathized with Apple outsourcing Maps' business info to Yelp,
they really should hold their partners to a much higher standard given all of
their privacy rhetoric.

~~~
florakel
For every app that I install I check if the app activated background app
refresh. Most of the time it does not make any sense why an app would even
need that, other than tracking me. Also disabling it for most apps is one of
the best things you can do to extend your battery life.

In Apple's defense it is a hard thing to ask the user whether or not they want
to permit "background app refresh". Many users might not understand at all
what this means. It is not as easy to understand as "allow app to send you
notifications" or "allow app to use your location".

Maybe Apple could force apps to request for each specific use case why they
wants to be active in the background. Is it to enable basic functionality of
the app or is it to track you? Would be great if the user could choose in
which case to allow access and in which case not. Right now it is a blank
check you give to each app and it is hard to tell whether the app abuses its
permissions or not.

~~~
_bxg1
Yep. Still less of a blank check than Android though; it doesn't even
distinguish background location from foreground location, last I checked.

~~~
vbezhenar
Android is weird! I have to ask for that location permission if I want to
connect to Bluetooth printer!

~~~
jon-wood
It kind of makes sense, in that it’s possible to use data on what radios you
can see (particularly WiFi SSIDs) to work out a user’s location. Still causes
no end of hassle from customers complaining about you requesting location
permissions to connect to a WiFi device though.

~~~
svendbt
I suspect they do this to be able to configure Bluetooth within regional
regulations. In US / China you can transmit with up to 20dBm output power at
2.4 GHz, while in much of the world 10 dBm is max.

~~~
blep-arsh
The location permission is not needed to use Bluetooth on Android, but apps
must request it to be able to scan for nearby access points and beacons (both
for wifi and for BT), since this information can be used to infer the device's
location. Fun fact: turning off location services without revoking the
location permission still allows apps to scan for wifi access points and infer
your location with impressive precision. The list of apps that have the
scanning permission is hidden somwhere deep in system settings.

------
gok
> there was some startling behavior by a household name: Yelp. It was
> receiving a message that included my IP address -- once every five minutes.

A message that included your IP address? As in...any message sent over IP?

~~~
mixmastamyk
In the header or in the payload? The second is not typical and a clue
something fishy might be going on.

~~~
threeseed
The second is incredibly common almost the default.

Most libraries will just collect as much info as they are able to, put it in
JSON and ship it to some server. That includes your IP address.

~~~
tinus_hn
It doesn’t really matter if it’s common. It’s not acceptable to do that.

~~~
threeseed
It's no different to your IP address coming in the request headers.

~~~
StrangeDoctor
Unless you’re behind a nat, home uses a 192. office uses 10. Favorite coffee
shop uses 172. You're letting internal details leak and give another factor of
correlation

------
mirimir
OK from [https://www.apple.com/privacy/](https://www.apple.com/privacy/)

> At Apple, we believe privacy is a fundamental human right.

> And so much of your personal information — information you have a right to
> keep private — lives on your Apple devices.

> Your heart rate after a run. Which news stories you read first. Where you
> bought your last coffee. What websites you visit. Who you call, email, or
> message.

> Every Apple product is designed from the ground up to protect that
> information. And to empower you to choose what you share and with whom.

> We’ve proved time and again that great experiences don’t have to come at the
> expense of your privacy and security. Instead, they can support them.

... and ...

> Your personal data belongs to you, not others.

> Whether you’re taking a photo, asking Siri a question, or getting
> directions, you can do it knowing that Apple doesn’t gather your personal
> information to sell to advertisers or other organizations.

So what? I guess that they didn't promise that _apps_ would be doing all that
bad stuff.

Which is disgusting.

~~~
ve55
What can one expect Apple to do, disallow apps that do extensive tracking,
causing their users to not be able to use any social media whatsoever?

They don't have any feasible option in that space. It is nice that they do
something rather than nothing.

~~~
mirimir
I expect them to stop lying about protecting users' privacy.

~~~
ben_w
You’re literally the first person I’ve seen complain that Apple allows apps to
do too much. Everyone else that I’ve seen complain, wants to be free to
install any app without Apple’s permission, and claim end users can be trusted
to be responsible for the security and privacy implications.

~~~
mirimir
I do like freedom to do what I like with my devices. But Apple 1) clearly
_does_ vet apps, and allows only approved apps to be installed, and 2) makes
broad claims about privacy.

If Apple wants to make broad claims about privacy, it should kick all
offending apps from its store. But it should also allow users to install
whatever apps they like. That puts responsibility on users.

------
elagost
Even for companies who are supposedly privacy-forward, their defaults say
otherwise. A brand-new iPhone has all these privacy settings that are off by
default, and that are usually confusingly labeled and buried several settings
screens deep. Nobody really turns them on outside of a very small bubble.

Once companies have your trust, they can't help but break it if it'll earn
them another few bucks. Yelp's a household name and doesn't seem like a bad
actor, but that's proven false by this article. Furthermore, while they claim
to have your best interests in mind, Apple (and Google) let companies perform
this kind of shady behavior on their platforms that they completely control.
If they let others get away with this, can you really trust that the "don't
upload my photos to your servers" switch really does what it says it does? How
do you know your phone isn't recording audio and taking photos to send off to
a datacenter in the middle of the night?

(To be fair, a lot of this data that's being sent out probably has something
to do with background services designed to make the experience better. Weather
Channel might be gathering location in the background for more up-to-the-
minute forecasts. For things like cloud storage services, scraping your camera
roll and uploading the photos is probably something you ask them to do.)

~~~
lotsofpulp
>Yelp's a household name and doesn't seem like a bad actor

Everyone should assume their "free" app is being paid for via the use of the
data they can glean from it. It's not like people don't know Yelp is a
business and has to profit to continue to exist.

~~~
panpanna
Even paid apps are sometimes into this.

Because why settle for $0.99 when you can earn $0.99 + 0.02?

Once a company reaches a certain size all decisions are made by bean counters
and for them $1.01 > $0.99 every day of the week.

~~~
wlesieutre
RadioShack was really ahead of their time, what with trying to collect your
phone number and address every time you come in to buy a pack of AA batteries.

Now with smartphones it's all automatic and much harder to say "no" to.

~~~
jstarfish
Were they really that demanding? IIRC, the last time I was in one, all they
wanted was a ZIP code, which was weird enough at the time.

~~~
heywire
I worked at RadioShack in the late 90's. We had to ask for name, address, and
phone number. It was just part of the transaction flow on the point of sale.
If we got resistance, we could just put it under a "CASH CASH" customer. I
vaguely remember telling customers "it's so they can send you our catalog".
RadioShack sent out nice heavy catalogs each year, which many people liked.
Sometimes if we were busy or just lazy, we'd just do that anyway. While my
understanding was that it was primarily for marketing purposes, it was also
useful in that we could pull up receipts by phone number (in case you lost
yours), verify warranty/extended warranty status, etc.

~~~
wlesieutre
And then when Radio Shack went bankrupt, it wanted to sell that information.

[https://money.cnn.com/2015/06/10/news/companies/radioshack-c...](https://money.cnn.com/2015/06/10/news/companies/radioshack-
customer-data-sale/index.html)

 _> The bankrupt chain originally proposed selling the information to raise
money and repay creditors. But that sparked a backlash from suppliers
including AT&T (T) and Apple (AAPL), as well as the Federal Trade Commission
and consumer advocates who argued that the electronics retailer had promised
customers it would protect their data. _

_> Most of the assets, including some limited customer information, were
purchased by General Wireless, a subsidiary of RadioShack's largest
shareholder, which intends to keep 1,750 of the stores open with the
RadioShack name and operate its online business. General Wireless agreed not
to sell the customer data it is buying to a third party, and to comply with
RadioShack's previous privacy promises. _

_> RadioShack filed for bankruptcy in February, and the court could have
allowed the sale of the data despite the promises that RadioShack had
previously made to customers. _

(a few paragraphs omitted for brevity)

~~~
Marsymars
Yeah, I pretty aggressively avoid giving companies any information, and if
required, I now give fake information when possible.

[https://www.zdnet.com/article/canadian-retailers-servers-
sto...](https://www.zdnet.com/article/canadian-retailers-servers-
storing-15-years-of-user-data-sold-on-craigslist/)

> A security researcher has found customer and employee data belonging to one
> of Canada's biggest PC hardware retailers on servers put up for sale on
> Craigslist. The data, believed to go back as far as 15 years, belongs to
> NCIX, a PC retailer that filed for bankruptcy and closed shop in December
> 2017.

------
pandemicsyn
Kind of amusing reading this article on page that ublock origin reported as
loading 38 trackers. Wonder what trackers the washingtonpost ios app itself
uses.

~~~
andrei_says_
This comes up regularly in privacy discussions linking to articles in
mainstream online publications.

The editors and the writers of the articles are completely divorced from the
decisions driving the technology and profitability of the publisher.

It may be possible for writers to only publish articles in outlets which
respect privacy at the expense of popularity but we're probably not hearing
about those.

~~~
nothrabannosir
Fair, but as long as nothing changes, let us not stop pointing out the irony
merely because things remain crooked. The buck has to stop somewhere, and at
the end of the day wapo is profiting from tracking on an article bemoaning
tracking. They're free to do so, and being hypocrites doesn't make them wrong,
but being not wrong also doesn't make them infallible.

And if someone finally founds a privacy respecting publisher, what better
place for them to advertise than a comment lamenting a competitor's failing?
Let's keep that door open :)

~~~
dhimes
To your point, as I said in a thread yesterday, I get these trackers and I'm
_logged in to WaPo._ I pay them $100/year and they _still_ track me.

How can we make them stop? It's going to take our legislature, because this
free market thing isn't going to do it.

------
jammygit
I used to run disconnect pro on my s8, which I believe is the app mentioned in
this article. I recall that it tried to send a message to google play services
every 2 minutes 24/7, no matter what.

It creeped me out, so I’ve switched to an iPhone recently.

Aside: I hope the librem does well it’s first release

------
ksec
I don't have a problem with Tracking when I am using the App. That is fair (
to a certain extent )

What really annoys me is Background App Refresh, how much data is being sent
that is causing Battery Drain and Data Cost on Mobile?

May be we should have Background Apps that only allow them to receive data? Or
do we have to turn off Background App Refresh completely.

~~~
olliej
I have a problem.

Why should facebook or google know everything about every _different_ app I
use?

If I have a bunch of apps all of which use facebook analytics then facebook
knows the collection of apps I am using, and presumably my account
information. That would also allow them to link those apps to my browsing if I
ever use the web page version of those apps.

An app - especially one I've paid for - has no justification for then
providing my device and account information to an arbitrary third party,
especially when many of them are well known as abusers of consumer privacy.

------
lalos
Anybody know of an easy way to block all Facebook SDK usage from iOS? The
simplest that comes to mind would be through a custom DNS server, but even if
you don't log in using FB SDK on apps they still ping back in someway or
another to generate your shadow profile.

~~~
DavideNL
I hate that Apple's walled garden forbids us to use a proper firewall on
iOS...

Anyways, a not so easy alternative is to install a Vpn Server like Algo and
block all Facebook ips with ipset on the Vpn server.

You can obtain all Facebook ips from their ASN number:

    
    
      whois -h whois.radb.net '!gAS32934' | tr ' ' '\n' | awk '!/[[:alpha:]]/' > facebookips.txt
    
    

[https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-
th...](https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/)

~~~
WAHa_06x36
You may hate that you can't do that, but do you really hate that scam
companies can't install their own spying firewalls?

Because they would. A lot.

------
scoutt
Is there any link to the actual research data, used methodology, etc., to
support these claims?

Not that I don't believe the claims (I'm biased to think that it may be
possible), but just want to know if I can run the study myself, or be ran by
someone more capable than me on security matters; sharing results.

Or should I think this article was crafted for us to download just another app
(Privacy Pro SmartVPN)?

------
amatecha
Yeah, this is why I actually read the privacy policy on every app I install
now. I've done this for the past 6mo or so. At this point I basically don't
purchase apps that store any of my information on their servers (unless of
course it's fundamentally required for the service, such as Spotify or the
like).

~~~
prophesi
I'm a bit confused. Shouldn't there be equal concern for apps that _share_
data with third-parties? The first-party app doesn't need to store any of the
information in that case; they just hand it off in-transit.

And have you had any luck with installing apps with such criteria? I'm on a
similar boat, and primarily use F-Droid apps.

~~~
amatecha
Oh, yeah of course sharing data with 3rd parties is even more "nope" than just
storing it themselves.

The last app I looked at to consider purchasing, "Clear Todos", which was
highly-reputed at some point? Their Privacy Policy link in App Store actually
hits a 404 error page. To say the least, I almost never purchase anything from
App Store these days. It's a pretty dire landscape, but I'm tired of "being
the product", and I am willing to give up a lot of stuff to lessen how often
my information is used/stored/profited from.

------
dsgarnier
For the past month of so I’ve been trying to determine what’s been enabling my
iPhones Bluetooth or WiFi function - something is intentionally doing this.
For example, if I turn off WiFi or Bluetooth at bedtime I find it enabled in
the morning! If I go somewhere the WiFi or Bluetooth may enable. WTF? (No I’m
not having a senior moment here...) “What in my iOS environment has recent
changed?” I deliberately don’t upgrade my iOS apps because of new or unusual
improvements I discover. Or better yet what recent Apps have been asking for
Bluetooth access? MyRadar and Walkmeter have requested access to Bluetooth
“for location accuracy.” Really now? My walking location is going to improve
their weather or my walking location? Or maybe I need to uninstall Washington
Post or New York Times Apps to find the pattern here.

------
spupy
So what's the news here? That apps are sending information to tracking
services? How is this iPhone specific?

~~~
baxtr
Well, to be fair, Apple is pushing privacy as differentiator quite hard. So,
it is ok if they get scrutinized more for things that don’t run well on their
platform. I just checked: ALL my iPhone apps have background sync on. For
what?

------
ppeetteerr
I don't know if there is much of a solution aside from blocking the domains
not owned by an app publisher or not approved by apple (an ad tracker list,
for instance).

The best way to avoid being tracked is to use apps that you pay for, not apps
that are free and make money with your data. You can also bookmark websites to
your home screen instead of downloading apps, that way you don't grant apps
the extra privileges. Finally, you can disable background app refresh.

~~~
RandallBrown
Apple actually does this already. You need to submit a list of domains your
app is allowed to talk to and explain why they're needed.

I guess the next step is for Apple to stop allowing analytics URLs to work
without an opt in prompt.

~~~
wool_gather
> You need to submit a list of domains your app is allowed to talk to

No, that's _only_ if you're not using TLS for those domains. Which almost all
are at this point.

------
cfarm
For the desktop web Duckduckgo has a plugin that shows you all the trackers
that are on a webpage and lets you block them. They also have a mobile web app
that you can use as your default web search on mobile.
[https://duckduckgo.com/app](https://duckduckgo.com/app)

------
amelius
This makes me wonder, what is the difference between apps and websites,
really?

~~~
saagarjha
Apps are harder to tweak to where they don’t track you.

------
telaelit
As an iOS developer, it’s insane to me that this isn’t common knowledge.

------
Vizarddesky
App companies claim that the "data it collects for clients is kept private and
not sold" If you believe that, I can get you a great price for the scrap iron
from the Eiffel Tower.

------
GaurVimen
And don’t forget, we pay Apple and Google for the privilege of being tracked
and having our “data” shared. Smile: the surveillance is nearly complete!

------
ezequiel-garzon
What is a legitimate use of background app refresh? I just turned it off
expecting not to receive notifications, but that’s not the case.

~~~
sosborn
The Major League Baseball app is a good example. It has a widget that can show
scores. It can only do this if background refresh is on though so that it can
keep the scores current when the app is not being actively used.

For most apps and use cases, background refresh isn’t necessary because when
you want see data in an app, you open the app and it can refresh it then.

Personally, I have background refresh off for everything. It helps save
battery too.

~~~
ezequiel-garzon
Thank you. I’m surprised it’s not off by default. It’s off now!

------
HeraldEmbar
Privacy is not gone. We could set up laws and enforce them. We already do this
for medical data (HIPAA). There's no reason we can't do this for other
categories of personal data, such as what you buy and where you go. Europe
does this with its GDPR. It can be done, but we need a government that doesn't
prioritize interests of corporation-people over those of human people.

~~~
cerberusss
But isn't GDPR already here? And these apps are still tracking us with
unbridled enthusiasm.

------
mirimir
Could someone please post an archive link?

------
layoutIfNeeded
Please Apple do something about this, so I can stop sabotaging my career as an
iOS developer by regularly arguing against tracking to my superiors.

------
heywire
I'll reproduce my comment [0] here from a similar article earlier this year
[1].

Note: I ended up setting up that pi-hole, and I see it blocking a ton of DNS
lookups for these types of companies across my family's devices.

> I think many people would be surprised by the amount of analytics data
> leaving their phone _all the time_. I recently was doing some work where I
> had my iPhone proxied through mitmproxy on my laptop, and was blown away by
> just how much data was being sent. Some apps were sending a request to one
> or more analytics firms every single time I touched a UI control. I would
> set up a pi-hole and VPN to block this stuff, but I'm sure the app
> developers will just start tunneling the requests through their own hosts.
> Maybe some day one of these open source phones will actually be viable.

[0]
[https://news.ycombinator.com/item?id=19109243](https://news.ycombinator.com/item?id=19109243)

[1]
[https://news.ycombinator.com/item?id=19109027](https://news.ycombinator.com/item?id=19109027)

~~~
StreamBright
Same here, I also started to work on a project to consolidate pi-hole into a
single binary using Rust. I want to run it on my laptop and on my routers at
home as well.

~~~
SOLAR_FIELDS
Can you go into a little bit more detail about the reasoning behind this? I’m
running a Pi-hole on raspberry pi as the single DNS server behind my whole
home’s router. This means it blocks everything outbound in my house. Only
thing it doesn’t block is when I’m on LTE/random WiFi access points, for which
I’m considering routing all of my mobile devices via VPN through another
instance of Pi-hole running on a digital ocean droplet. Beyond that what do
running multiple instances of pi-hole do? Do you have multiple routers at
home?

~~~
StreamBright
I travel a lot. I want to run something on my laptop so I do not need to VPN
yet I have no ads.

~~~
SOLAR_FIELDS
That makes perfect sense. I'd like something similar especially if I'm
overseas and don't want my requests going all the way to the USA and back and
don't want to deal with the overhead of spinning up instances of my pi-hole in
different countries. Do you have a link to the project?

~~~
StreamBright
It is private at the moment because not ready yet for prime time. You can
reach out to me via email and I will add you to the repo. Use the email in my
profile page please.

------
afniljl
This is gonna be a black egg on Tim Cook's face given how often they keep
touting privacy of the iOS system.

------
beenBoutIT
'What happens on your iPhone stays on your iPhone'; everything except SMS,
MMS, email, phone calls, video calls and web browsing. Makes more sense for a
place like Las Vegas.

~~~
olliej
uhhhh

You mean everything that involves sending data to other people involves ...
sending things to other people?

Or do you propose the SMS, MMS, email, phone calls, video calls, and web
browsing should not actually be available?

~~~
beenBoutIT
Exactly, the primary purpose of the iPhone is to send things to other people.

~~~
zaphod4prez
... people with to whom I choose to send things. I do not choose (or rather, I
wish I could choose not to) send a ton of detailed information about my phone.
my location, etc. to a bunch of unknown companies and people. I feel like I
must be misunderstanding your point?

~~~
olliej
I think I'm misunderstanding your point.

If you send a message to someone, or open a website, then necessarily you
interact with a directory service (a telephone company, the message client's
directory, DNS, etc).

For iMessage, apple's servers then route the message to the appropriate
account, and their various documentation on this says they don't record
anything more than necessary (I assume each account has a glorified mailbox in
which the _encrypted_ messages are stored - there is no part of iMessage that
can be decrypted by someone other than the recipient, _except_ the destination
- in an ideal world the sender would be stripped once its in the mailbox).

If you load a webpage over https then no party in the middle knows what
resources you pulled - alas they know the host because DNS queries aren't
encrypted, and even if they were the IP addresses aren't, so with enough data
it might be possible to infer destination for pages in hosting sites.

None of these include your location information - beyond IP based inferences.

The only people who have your location without explicitly asking is the
carrier, and only because they can see you bouncing around towers

------
Despegar
This is a good piece in the sense that it will get Apple to do something I've
wanted for a long time, which is to ban all the third party frameworks that
developers are shipping in their apps.

They should either provide their own first party frameworks or select a
handful of vetted partners that are allowed to provide those services to
developers.

~~~
la_barba
A couple of points. How realistic is that though? How would they even know
where the code came from in a compiled binary? Also, a platform vendor
controlling what code I can or can't use sounds like a totalitarian regime to
me.

IMHO a better idea would be to create privacy jails for apps and then users
can decide if they want to stick certain apps inside jails where they don't
get access to your IP, GPS data, accelerometer, camera, contacts, etc. Jails
would be better than the annoying popups for permissions as they currently do
it.

~~~
Despegar
>IMHO a better idea would be to create privacy jails for apps and then users
can decide if they want to stick certain apps inside jails where they don't
get access to your IP, GPS data, accelerometer, camera, contacts, etc. Jails
would be better than the annoying popups for permissions as they currently do
it.

Nah that's a Do-Not-Track-esque cop out to preserve the ad and analytics
industries. It's also extremely un-Apple.

"Totalitarian" doesn't mean anything in this context because we're talking
about computers and not governments.

Privacy should be by default and not shift the burden to users or cost them in
terms of user experience. Apple has the power to do that.

~~~
la_barba
Well, totalitarian in this context means shackling developers with micro-
management of basic functions of software development. Apple has a large
enough megaphone that I don't feel the need to care about whats best for them.
They can do that themselves just fine. I'm only interested in it as a
developer and as a user. As a developer I don't want an OS vendor telling me
what code I write or which library I use. As a user, I want to be able to run
an app inside a privacy jail that completely blocks access to my IP or GPS
data - if I want to.

>Privacy should be by default and not shift the burden to users or cost them
in terms of user experience. Apple has the power to do that.

You can have every single app run in a privacy jail by-default. Let the user
opt-out on a per-app basis if they choose to. Apple could also simply just run
a ad-blocker or a tracking scripts blocker as a system level feature. I admit
that these kinds of measures are very 'controlling' if not totalitarian of
their users. Should Microsoft allow users to install Chrome if the browser
acts basically like a giant keylogger? Should we let users make the choice? Or
let a benevolent dictator dictate what apps a user should be protected from.
Reasonable people can come out of both sides of the privacy debate.

~~~
Despegar
>Well, totalitarian in this context means shackling developers with micro-
management of basic functions of software development.

This might be an interesting philosophical/religious debate about computers to
some, but it's also one we had in 2008 when the App Store launched. It's clear
after 11 years that Apple was right and the rest of the world simply does not
share that religion. Conversely they sure do like the practical benefits from
Apple's micromanagement.

>You can have every single app run in a privacy jail by-default. Let the user
opt-out on a per-app basis if they choose to. Apple could also simply just run
a ad-blocker or a tracking scripts blocker as a system level feature.

Apps already run in a sandbox and are private by default. The user has to give
consent before an app gets location or contacts data. An ad blocker for apps
is silly because it's an unnecessary hack when they control the App Store
policies.

The difference with giving permission to an app you downloaded is that you
have a first party relationship with that app. You don't have a first party
relationship with any of the SDKs that developers package into their app. They
disclose it in their privacy policies that no one reads, but that's certainly
not informed consent.

~~~
la_barba
Well, all I can say is thanks for explaining your position, but I don't agree
with your points.

