What unique fingerprinting information can an iOS 10 app collect?

Question

As a follow-on to these questions:

What unique fingerprinting information can an iOS7 app collect?

What unique device fingerprinting information can an iOS8 app collect?

What unique device fingerprinting information can an iOS9 app collect?

iOS 10 improvements:

• Identifier for Advertising is now all zeroes if "Limit Ad Tracking" is enabled, presumably making it unnecessary to "Reset Advertising Identifier".

• While Apple discourages device fingerprinting and data over-collection in general, and mentioned at WWDC that some APIs and properties that could be used for fingerprinting were deprecated, there were no specifics given in the talk.

Open Issues:

• As always there is basic system info available similar to what any web page can access: IP address, HTTP headers, etc. Many of these are low entropy or can be changed by the user through various means, but it may be possible to combine enough for a reasonable identification. Or for reasonable enough correlation for cross-device tracking.

• There is still no official confirmation that "integrated" apps (like Facebook or Twitter) are subject to the same limitations as other iOS apps, or whether they have privileged APIs.

• There are apps in the app store that show system information like uptime, battery level, disk size and usage, memory size and usage, network usage, LAN IP address, etc. These have become more restricted over the past two major versions, but is there any review or other mechanism to keep access to these system elements out of typical app or app 3rd-party code?

• Can someone confirm whether WiFi AP (B)SSID is still accessible?

• HSTS fingerprinting

• Accelerometer and gyroscope data

• Use of persistent data stores by apps, or by apps across an app group, that survive app (or app group) deletion. Or persistent data stores that survive device erase and restore.

• Other open issues?

In general, what remaining device fingerprinting privacy / security vulnerabilities still exist as of iOS 10, particularly those that have no user controls or actions that can thwart them?

Answer 1

As always there is basic system info available similar to what any web page can access: IP address, HTTP headers, etc. Many of these are low entropy or can be changed by the user through various means, but it may be possible to combine enough for a reasonable identification. Or for reasonable enough correlation for cross-device tracking.

You have answered your own question.

You can be fingerprinted merely through access via a web browser. Given an install on an ios device has in-practice all the capability of a web browser, and more on-top. Look at canvas detection etc. https://browserleaks.com/ is a good example of some basic methods.

Advanced techniques just gather a crapload of data and feed it into AI, the big players, like in most aspects now, don't bother looking into factors too much in-depth, they just hire some maths wizards & let them train AI to do the rest.

If I can run Javascript & HTML, as in a browser, it is possible to fingerprint you to near 100% accuracy - your only mitigation would be pointless as it would take so much effort the cost of doing so would outweigh any benefits - In most cases, those whom attempt to avoid fingerprinting only make themselves more unique/distinguishable.

In general, what remaining device fingerprinting privacy/security vulnerabilities still exist as of iOS 10, particularly those that have no user controls or actions that can thwart them?

*All those that exist in any web browser. I agree with you that the app/web design should be much more permission-oriented & opt-in. I.e, assign each app as specific permissions as I want to. However, you can never prevent fingerprinting. Fingerprinting is merely a correlation. Let me summarise the headache for you: You do everything to mitigate web tracking techniques. However, the NSA/GCHQ has intercepts all global traffic. They can identify requests chained via proxy or VPN and can correlate them to fingerprint you merely by your connection latency.

Hence: you decide to increase or randomize connection latency. With a small tweak, GCHQ/NSA/whoever else can now identify you (via global taps) by identifying unusual/unique latencies on requests and receive connections (enabled via global taps on all comms).

I realize the example I give is complex and not to do with ios. But you ask an extremely broad question, and to give you an answer: You can be tracked, no matter what measures you take. Including on IOS 10. As discussed already, given I have basic web page capabilities I am already capable, let alone the other features all IOS versions offer.

Just to keep you busy, here's another one: You block your location, cool. The app requires an internet connection to work (you want to use it as you have installed the app, so you obviously have no other choice than to permit wifi/internet connection). Gotcha, I now have your location via your wifi/network information thank's to Google's mapping data.

Have fun...

Answer 2

There are 2 methods that I know of that still work and will survive a device reset. Unfortunately they will only remain useful if Apple don't know about them and therefore you're unlikely to find them on any internet forum.

It can be done but it's not easy. If you want to do your own research in this area, focus on hardware. Some hardware is deliberately unique but difficult to reach from userland software, other hardware components have slight manufacturing differences which can be used for fingerprinting - good luck.