
Privacy: Is That iPhone? - vladivstok
https://foundation.mozilla.org/en/blog/what-half-of-iphone-users-dont-know-about-their-privacy-new-poll/
======
varenc
Mozilla suggests resetting the IDFA once per month...but that seems pretty
trivial to workaround? If an app you used previously starts up and sees that
your IDFA changed, it's easy for that app to know that the old IDFA and the
new IDFA refer to the same user!

This tracking is all possible because iOS gives every app on the device the
same IDFA (advertising identifier [1]). They can then correlate all your
activity and target you for ads.

I'd love if Apple just killed this feature, but barring that, why not change
iOS so that it scopes these identifiers at the per-app level. Different apps
on the same device see different IDFAs, but an app can still use an IDFA to
target you for ads. Apple already has similar per-vendor scoping with
_identifierForVendor_. [2]

[1]:
[https://developer.apple.com/documentation/adsupport/asidenti...](https://developer.apple.com/documentation/adsupport/asidentifiermanager/1614151-advertisingidentifier?language=objc)

[2]:
[https://developer.apple.com/documentation/uikit/uidevice/162...](https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor)

~~~
mobjack
You don't need an IDFA to track someone in the same app. You can generate your
own UUID to use.

The value of the IDFA comes from coordinating user behavior across apps.

Targeting ads is one use case, but it is also used in conversion tracking,
which is very valuable to advertisers. They can know if ads in one app
resulted in people buying things in another app.

Edit: fixed typo

~~~
thenewnewguy
The point is that the app can just record the old IDFA, and when the IDFA
changes whoever is doing the comparison between two apps knows that the old
and new IDFA are one and the same.

~~~
tgsovlerkhgsel
A likely-good-enough fix would be for Apple to first make extremely clear that
this is not allowed, then catch one ad framework/library provider violating
the rule and ban every single app/publisher using it to ensure the rule is
actually taken seriously.

~~~
scarface74
How do you “catch” them? The ID is sent from the app and not in plaintext.

~~~
afiori
I imagine with the usual review process

~~~
scarface74
The review process can’t tell the contents of the data being sent back.

------
varenc
To disable: _Settings_ > _Privacy_ > _Advertising_ > _Limit Ad Tracking_

You can also disable Location-Based Ads: _Settings_ > _Privacy_ > _Location
Services_ > _System Services_ (at the bottom) > _Location-Based Apple Ads_

Apple's ad tracking help doc: [https://support.apple.com/en-
us/HT205223](https://support.apple.com/en-us/HT205223) (Apparently they derive
your gender based on your first name or the salutation on your iTunes account)

~~~
pault
I just looked at the location tracking preferences and the default setting for
Google maps is "always", as in "whenever your phone is on". O_o

~~~
yoz-y
The phone will periodically ask you if you want to keep this setting.

~~~
DagAgren
As of iOS 13, specifically.

------
oil25
Anyone disillusioned by the thought that Apple values privacy would be well
served by reading iOS, The Future Of macOS, Freedom, Security And Privacy In
An Increasingly Hostile Global Environment -
[https://gist.github.com/iosecure/357e724811fe04167332ef54e73...](https://gist.github.com/iosecure/357e724811fe04167332ef54e736670d)

There is so much more to privacy than is made apparent to the user as a few OS
knobs to "limit" ad tracking.

~~~
mariojv
Saved this writeup for future reference, thanks. Agreed that privacy needs
more analysis than trusting a few rather opaque OS knobs.

I am a little skeptical about some of the claims in that gist, though. One
example is when they claim that APNS pushes require app access to a globally
unique iOS activation identifier. That seems false. According to Apple’s dev
docs at least, those tokens are device-and-app specific and have to be re-
requested at app start time since they can be regenerated for a variety of
reasons:
[https://developer.apple.com/library/archive/documentation/Ne...](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/APNSOverview.html)

Seems to have nothing to do with an activation UUID from a quick glance.

I appreciate a lot of the reference material in there, but this seeming
mistake of conflating 2 different UUIDs makes me a little skeptical of some of
the conclusions.

Edit for correction: I think I misread this part of the gist. They never
directly say that the activation UUID is given directly to the app developer,
just that Apple can track your social networking app pseudonym over APNS, "and
possibly the social networking service" will be able to, as well.

This to me implied that the social networking service had the activation UUID,
but the author never directly said that. If the notification has your
pseudonym in it and Apple's storing that when a notification goes to APNS, it
does seem like Apple would be able to tie that to your device if they're
peeking inside the notification payload. The solution to this would be for the
app developer to not include sensitive info in notifications or for the user
to disable push notifications, but an E2E encrypted trustless notification
solution provided by Apple would be much nicer.

~~~
saagarjha
> On iOS, there is no full-disk or full-volume encryption, only varying levels
> of file-based encryption, partially dependent on third-party developer
> choices, such that what is, and isn’t, encrypted (with encryption tied to
> the user passphrase) is not always clear to the end-user.

I'm not sure about this, either; all recent iOS devices have a DMA AES engine
that performs encryption on anything that travels between storage and memory.

~~~
jolux
Yeah, that’s completely and obviously fucking wrong and makes me question this
person’s skills to be honest.

------
godelski
> Phone users can currently disable the IDFA, but have to do so manually;
> Android users aren’t even given this option

This actually false. You can change your Ad ID on Android. I just looked (and
checked)If you go to Settings > Privacy > Ads you can see this IDFA. At the
top (it looks like a header and not an option, so I will not fully fault
Mozilla because this is a dark pattern) it says "Reset advertising ID". If you
press it you can see the grey "Your advertising ID" (at the bottom) change.

Additionally, there's the option "Opt out of Ads Personalization". It has the
text "Instruct apps not to use your advertising ID to build profiles or show
you personalized ads." I would love if someone here could clarify this for me.
Is this a suggestion to apps or is this a strict and enforceable thing? As in
"Hey app, you should ignore this ID that I'm handing to you" vs "Hey app, you
don't get to have this ID. Sorry." Does anyone know which it is? The language
suggests to me that it is the former.

Edit: This was done on a phone running Android 10

~~~
milankragujevic
I interpreted Mozilla's claim that Android users cannot _disable_ the
advertising identifier, but can reset it. The sentence talks about periodic
resetting. I might be wrong in the intention of the author(s), but that is my
interpretation.

~~~
godelski
I definitely read it differently. But I can see your interpretation. Though it
gets to my question about what the opt out means. Does this mean that apps
don't see it? Or does it just ask that apps don't use it. Because those are
two very different things. I was hoping someone on HN would know.

------
gorgoiler
Finding the settings mentioned in the article is the sole dark pattern I can
think of in iOS — when you find them it’s like finding a secret level in Super
Mario Land.

They are under _Settings...Privacy...Advertising_

[https://imgur.com/a/EOvUzCS](https://imgur.com/a/EOvUzCS)

The _Advertising_ and _Analytics_ options are only visible below the fold, if
one scrolls down the privacy page. The fold itself is disguised as the bottom
of the page to put you off scrolling.

Unlike everything else, they do not have icons and only come after a paragraph
of text almost perfectly large enough to fill out the vertical height where
the tracking options would be.

~~~
saagarjha
Did you… _print_ out a screenshot of your phone?!

~~~
gorgoiler
I applied filters and took a screenshot of the screenshot to reduce image
fidelity in case it contained any [covertly embedded]* identifying information
[in the form of watermarks or hidden pixels] _.

_ *added for clarity.

~~~
fpgaminer
In case people aren't aware, such a thing _is_ possible. Companies have used
steganography techniques in the past to secretly embed identifiers into movies
and other visual content. It's been used to track down the movie leakers, for
example.

Another example; most printers covertly embed an identifier in their prints.

I have a vague memory of a pre-release video game doing it? Or maybe it was
just debugging information that they were embedding. _shrug_

Personally I don't believe Apple is doing what you describe (though maybe they
might do it to a prototype iPhone). But it's certainly your right to hold that
belief and take measurements to protect yourself. Shame you're getting
downvoted for explaining yourself.

EDIT: Fixed a typo; thank you.

~~~
TurkishPoptart
Sorry to nit-pick, but isn't the concept of hiding messages in images
steganography, rather than stenography? _studying for Security+_

~~~
saagarjha
Yes.

------
greggman2
There a bunch more things Apple could do to improve privacy they haven't done
(yet?)

They could require for example that unless you're specifically making a
browser (Firefox, Chrome, Brave) that your in app webview have a whitelist of
domains it's allowed to contact. That would force apps to launch Safari (or
better the user's choice of browser) for external links. As it is nearly every
app that supports external links launches an internal webview in which they
can track 100% of the activity (urls, net requests, login credentials, etc...)

They could require apps that are not specifically a camera app or audio
creation app not get access to the camera or mic and have to ask the OS take
pictures/video and select pictures via the OS photos app. That way less apps
would be able to record things in secret or upload any/all your photos without
permission.

They could disallow scanning wifi SSIDs except for network tools. Scanning
SSIDs is used to figuring out a user's location with with GPS off. In iOS 13
they did add bluetooth permissions so apps can be denied scanning bluetooth to
do the same but AFAIK they have not done the same for SSIDs. Not sure what
that would require but would love it if they'd work on it

They could disallow using the network at a low-level except for network tools.
As it is, AFAIK, any app can use the network however it likes including
scanning home networks for devices with vulnerabilities. I'm sure there are
implications for things like Chromecast and other IoT like devices but I'm
sure there could be more privacy oriented solutions.

~~~
kccqzy
> As it is nearly every app that supports external links launches an internal
> webview in which they can track 100% of the activity (urls, net requests,
> login credentials, etc.

My understanding is that UIWebView (or WKWebView) allows the host app to do
basically anything with the web view but since iOS 9 there's also
SFSafariViewController that doesn't quite allow apps as much access. Many apps
whose main purpose is not web browsing (like Twitter) use the latter.

> They could require apps that are not specifically a camera app or audio
> creation app not get access to the camera or mic and have to ask the OS take
> pictures/video and select pictures via the OS photos app.

This API (UIImagePickerController) also already exists since the very
beginning but it is the app makers that think using a custom UI for photo
taking or photo picking is more suitable. I personally refuse to grant apps
access to my photo library except a small number of apps. (For apps like
Messenger that could totally make do using the system-provided photo picker
but does not, I initiate the sharing from Photos instead.)

------
bilbo0s
OK, so, probably an ignorant question, but here I go anyway:

What, exactly, does "turning off IDFA" do? Does it send just a dummy IDFA? Or
does it give you nothing at all? Why is rotating it periodically better? (I'm
assuming rotation is better because that is what Mozilla is apparently
recommending.)

~~~
saagarjha
It sends a zeroed out identifier:
[https://developer.apple.com/documentation/adsupport/asidenti...](https://developer.apple.com/documentation/adsupport/asidentifiermanager/1614151-advertisingidentifier)

------
dep_b
Oh yes the fun thing about iOS is that the browser is super private so Google
& Co have a problem but the apps themselves are also rife with trackers and
there is almost no limit to what they do and barely any way to block it. I
mean they only banned screenshots being taken of actual users' screens, which
basically means anything that's less worse than that still goes.

As a consumer I would love a good scandal that would force them to tighten up
on in-app trackers as well. But it might hurt my employers.

------
retpirato
The problem is that Apple has always claimed ios provides more privacy (&
security) than android, but that's irrelevant if you don't make sure your
users are capable of finding the settings. Apple has always marketed to people
who are (at least perceived to be) largely tech illiterate (while claiming you
have to be extremely tech savvy to use android which is a lie), so if they
view their users that way they should make sure those settings are easy to
find.

~~~
ogre_codes
Android phones pump tons of location info and usage info direct to one of the
biggest advertising companies in the world. On top of that, a fair number of
Android phones ship with third party spyware and outright malware which cannot
be uninstalled.

The iPhone is a lot better for privacy by default. It's just not as good as it
_should_ be, and I do agree it's not as good as their claims suggest.

~~~
lonelappde
Question is, does it matter if my barn comes with a door that only closes half
way, and your barn comes with a door that closes most of the way?

~~~
jonas21
It depends how on how wide your horses are.

In other words, it depends on whether the difference in information leakage is
information you actually care about.

------
zabhi
A Linux phone is what we need. FirefoxOS was a great initiative from Mozilla,
but now it is in the hands of a company I do not trust.

~~~
fghtr
Yes, Librem 5 is our hope. Also, Pinephone.

~~~
spurgu
Yeah, but why can't _anyone_ make sane size mobiles nowadays? There's
literally nothing less than 5 inches on the market.

I would love something like the SEX here:
[https://i.imgur.com/OKZiWrN.png](https://i.imgur.com/OKZiWrN.png)

Source:
[https://news.ycombinator.com/item?id=20936147](https://news.ycombinator.com/item?id=20936147)

~~~
fghtr
At least in case of Librem 5 there was no choice: the hardware working with
free software is rare, which restricts the choice of SoC and the modules.

------
DavideNL
Somewhat related: when i re-install Youtube or Google Home i am automatically
logged in to both apps.

Even if i delete the apps and wait weeks/months and then reinstall, i'm logged
in again when i first open them.

I have enabled "Settings > Privacy > Advertising > Limit Ad Tracking" and also
cleared all Safari history.

How is this possible?

~~~
inapis
I believe they store some data in your iCloud account. Uber used to do this
too. The only way to get rid of it is to sign out and then again explicitly
ask to delete account data on this device, then uninstall and reinstall to use
the service without signing in.

~~~
v3v3
What Google does is store account data that is shared with all Google apps
under "Google LLC".

Go to "Settings > General > iPhone Storage" and you will find "Google LLC"
where it explains the data stored is shared with all Google apps.

Microsoft does the same thing to enable you to quickly sign-in to their
different apps under the name "Microsoft Corporation".

------
dredmorbius
For Google's pitch (to advertisers) for IDFA / AAID (the Android equivalent),
see:

[https://support.google.com/authorizedbuyers/answer/3221407?h...](https://support.google.com/authorizedbuyers/answer/3221407?hl=en)

------
jonplackett
Why does Apple have this as the default?

Now they've mostly ditched their own advertising platforms, what do they have
to gain from having these default settings?

~~~
taurath
Maybe to prevent really nasty dark patterns from emerging? It would break a
/lot/ of companies, I’d think

------
neilsimp1
I saw a video on Youtube yesterday that dug into this ad campaign a bit:
[https://www.youtube.com/watch?v=82N5SiOvStI&t=791s](https://www.youtube.com/watch?v=82N5SiOvStI&t=791s).
I like the guy - he's a bit long-winded at times but I don't think he was
incorrect about any of his points.

------
rchaud
How much of this, if any, applies when using the Facebook or IG mobile
websites or PWAs? IG's PWA seems to be the same as the mobile website, except
that it launches in fullscreen, with no browser address bar. When using those
on Chrome, I have not received one of those dialog popups saying
"m.facebook.com wants to know your location".

------
exabrial
It would be really nice if we could modify our OSes (remove the stupid IDFA
completely, or send garbage) This is coming to laptops and other computers
soon though, sadly.

~~~
kalleboo
iOS already has an option to just give out zeroes as the IDFA. Mozilla wants
to change the default behavior for all the users who don't realize they can
already do this.

------
jedieaston
Interesting. My iPhone’s Limit Ad Tracking policy is already enabled with no
option to disabled. Can this setting be controlled by Apps/MDM?

------
jrochkind1
> Phone users can currently disable the IDFA, but have to do so manually;
> Android users aren’t even given this option

Huh. I have never heard of this.

~~~
criddell
Too many incentives are wrong for Google. They are fundamentally an
advertising company that has built their fortune monitoring users. They aren't
going to build an operating system that actively works against their best
interests.

------
MindTooth
One thing I always check when using a new install.

~~~
Nerada
I'm in the same boat. I went to check after reading this and I had already
disabled both settings.

------
saagarjha
Can we have a title that mentions “IDFA” in the title, please? (Also, I’d
prefer something that wasn’t as clickbaity…)

~~~
dredmorbius
Email title change requests to hn@ycombinator.com.

The mods are quite responsive to these.

------
Ntrails
Does this apply to webpages? As someone who installs barely any apps to what
extent is this impactful?

------
r00fus
Is it possible to control from an admin perspective this if you have a managed
device?

~~~
varenc
Yes! A configuration profile can set _forceLimitAdTracking_

[https://developer.apple.com/business/documentation/Configura...](https://developer.apple.com/business/documentation/Configuration-
Profile-Reference.pdf#page=72)

On that topic...if you're really security conscious you can set
_allowHostPairing_ to _False_. This requires a supervised device, but then
your phone will only pair a computer that has the supervising certificate, and
if none exists, then all pairing is disabled. This might help defend against
GrayKey like attacks.

------
hardwaresofton
If only someone had created a viable alternative to both Google and Apple's
phones. Maybe they could base it on the browser? Web technologies are getting
pretty good these days. One of the popular browsers that are an alternative to
safari and google chrome... Like some sort of browser-OS.

~~~
scarface74
Every platform that has tried that for the last decade has failed - Palm,
Firefox, RIM, and Microsoft have all had development platforms “based on web
technologies”.

~~~
hardwaresofton
This was a bit tongue-in-cheek -- I was referencing FirefoxOS, and insinuating
that mozilla should have stuck to their guns (and maybe changed their batshit
market strategy of racing other android vendors to the bottom-most market
segment) and kept FirefoxOS in their portfolio.

If a phone OS isn't a strategic bet, I don't know what is. All the people
spending money on the librem would have happily bought FFOS phones, if they
made proper high spec ones (I still have one of the highest spec FFOS phones
ever made and it wasn't that impressive).

------
epoll
Is IDFA carried in the http request header? Can government track this too?

~~~
st3fan
No the IDFA is for native apps only and does not exist on the web. It is not
exposed to websites.

~~~
neoberg
Native apps use http, too. Surprise. From a middleman's perspective a native
app and a website aren't too different.

------
macrolime
Even if you opt out, then often opt you in again after iOS updates, so you
need to check the setting regularly.

~~~
macrolime
Why the downvote? I had enabled limit ad tracking and at least when I updated
to iOS 13, limit ad tracking was suddenly turned off.

------
cloudyo
And on the topic of privacy and iPhone: what you can do to protect yourself
from attacks: [https://blog.duple.io/how-i-can-hack-your-
phone/](https://blog.duple.io/how-i-can-hack-your-phone/)

~~~
syntheticcorp
That article has some inaccuracies, particularly around brute forcing iPhones
in DFU mode which is nowhere near as practical as they make it sound on newer
models with Secure Enclaves.

------
lonelappde
Apple is all about heavy handed locking down the experience for the user's
benefit as judged by Apple. Why do they even allow apps that exfiltrate data
and serve ads? Just require all ads go through Apple's system, and ban apps
that do anything remotely shady.

~~~
dredmorbius
While that's one possible solution, the problem of creating one-stop shopping
for any potential adversary (state actor, non-state actor, stalker, insider
threat, etc.) might give pause to reconsider.

