10

I'm interested in unique information that is beyond typical user knowledge or control.

As of iOS 7, users can easily protect local physical tracking by controlling radios (cell, WiFi, Bluetooth) in Control Center. There are also now explicit privacy controls for Location Services, Contacts, Calendars, Reminders, Photos, Bluetooth Sharing, Microphone, and Motion Activity, that require user consent for each app to access.

I'm particularly interested in the information an app (and its controlling server) can collect behind the scenes. IP address is an obvious one. Vendor ID and Advertiser ID are also out there, but there are ways to change those. Can apps access the device name or any other unique device identifiers (e.g., device phone number, MAC addresses)? Can non-updated apps still access deprecated identifiers such as UDID?

Without cookies, how are app makers and their integrated 3rd-party trackers fingerprinting users and devices? Especially concerning are technologies that allow others to track your activity across apps from different makers.

pseudon
  • 1,420
  • 9
  • 20
  • Interesting that "iOS now requests user consent for apps to use audio input on all iOS 7 devices. For devices sold in China, iOS will also request user consent for apps to use the camera hardware." https://developer.apple.com/library/ios/releasenotes/General/RN-iOSSDK-7.0/#//apple_ref/doc/uid/TP40013202-CH1-SW4] Though not a fingerprinting issue, secret use of either camera by an app would be a serious privacy/security vulnerability. – pseudon Jan 15 '14 at 15:52
  • Another fingerprinting vector is for an app to determine some subset of the other apps on your device: http://danielamitay.com/blog/2011/2/16/how-to-detect-installed-ios-apps] using custom URL scheme testing and checking background processes. Are there other (non-jailbroken) methods? – pseudon Jan 27 '14 at 02:44
  • Here's another possible vector, it's a little out there, but who knows? Using variations in individual accelerometers to fingerprint via browser (or, presumably, via app): http://blog.sfgate.com/techchron/2013/10/10/stanford-researchers-discover-alarming-method-for-phone-tracking-fingerprinting-through-sensor-flaws/ – pseudon Mar 27 '14 at 02:36

1 Answers1

2

This is not a comprehensive answer, but as of iOS 7 the MAC address cannot be accessed anymore since the corresponding system calls return the same static value for all devices (see: https://developer.apple.com/news/?id=8222013a)

jzilske
  • 21
  • 1
  • Thanks. Also found that iOS 7 now returns a modified form of the identifierForVendor to old apps requesting UDID or using gethostuuid(): https://developer.apple.com/library/ios/releasenotes/General/RN-iOSSDK-7.0/#//apple_ref/doc/uid/TP40013202-CH1-SW4 – pseudon Jan 15 '14 at 15:51