19

As an addition to this question:

What unique fingerprinting information can an iOS7 app collect?

What remaining device fingerprinting privacy/security vulnerabilities still exist as of iOS 8? Can 3rd-party apps still access a list of other running apps? How effective is it to test custom URL schemes to determine what other apps are installed?

For example, there is some indication that the Whisper app is bypassing Apple's latest protections: http://www.zdziarski.com/blog/?p=4056

Community
  • 1
pseudon
  • 1,420
  • 9
  • 20
  • 1
    Twitter now states that they collect lists of "installed" apps https://support.twitter.com/articles/20172069-what-is-app-graph-on-twitter It isn't clear whether this means they are accessing a process list of running apps and/or testing custom URL schemes and/or have some other mechanism. It also isn't clear whether any 3rd-party app can do this, or whether Twitter can do this based on its privileges as a special app "integrated" into iOS. It's very likely Facebook, also an "integrated" app, is doing the same thing. – pseudon Dec 05 '14 at 00:50
  • "Facebook is also able to see which apps users have installed on their phones, if the apps use the Facebook SDK (as many do)." http://techcrunch.com/2014/11/26/twitter-app-graph/ Interesting that both sources say "installed" and not simply "running" apps. – pseudon Dec 05 '14 at 00:53
  • See also the iOS 9 version of this question: http://security.stackexchange.com/questions/96119/what-unique-device-fingerprinting-information-can-an-ios9-app-collect – pseudon Sep 01 '15 at 00:38
  • 2
    Here's an interesting one. There's a company that has its tech in many apps on many phones. The tech emits ultrasonic signals from TV ads or web site (ads). Apps on the phone listen for the signal, then are able to tie together the phone with the emitting device info, to achieve cross-device behavioral tracking. See the linked PDF at this URL: https://cdt.org/insight/comments-on-cross-device-tracking-to-the-ftc/ – pseudon Nov 12 '15 at 23:32
  • 1
    I think the greatest vulnerability of fingerprint security on a phone is that you routinely handle the phone! Your fingerprints are all over the device. – Devon_C_Miller Jun 13 '16 at 19:18

1 Answers1

2

The are numerous opportunities for fingerprinting/privacy leakage at all levels of abstraction. A good survey can be found on this upcoming PETS paper (full disclosure: I am one of the authors).

With regard to your specific question, I guess you are looking for something analogous to iHasApp? There are a number of ways of bypassing Apple's restrictions on, say, private APIs, (see Section 4.3.2 of 1). FWIW, on Android, this is trivially done through the PackageManager.

Ari Trachtenberg
  • 822
  • 6
  • 14