In response to this series of questions: What unique device fingerprinting information can an iOS9 app collect? and as an update to this question: What are the best practices for maintaining privacy on a non-jailbroken iOS device? What practices should privacy-conscious users adopt to minimize the ability for web sites in the browser AND in apps (by the app makers or by 3rd-party services used within apps), to use device fingerprinting to uniquely identify and track an iOS device across web pages or across apps?
I'll also assume that as a first step to avoid device fingerprinting, basic privacy hygiene must be observed: aggressive cookie management, using only a minimal set of trusted apps, etc.
Starter list of basic privacy hygiene practices:
In Safari Settings: Block Pop-ups ON, Do Not Track ON, Block Cookies = Allow from Current Website Only, Clear History and Website Data regularly. Don't reuse private browsing tabs for more than one site.
Don't allow apps permission to access unique personal data sets like Location, Contacts, Calendar (Settings|Privacy). If you use Location Services, disallow it for Weather - there's no "While using the app" choice, and weather.com has a pretty nasty privacy policy.
Don't add any accounts for app makers that have "integrated" status (e.g., Facebook, Twitter), since it's not clear if those apps enjoy privileged access to non-public APIs. Best to avoid any apps from companies that are ubiquitous trackers around the web (e.g., Google, and the others above).
Turn off Background App Refresh so that apps only access the internet when you are actively using them (Settings | General).
Starter list of device fingerprinting counter-surveillance practices:
In Settings|Privacy|Advertising, turn ON Limit Ad Tracking, and Reset Advertising Identifier OFTEN.
The other persistent identifier is the Vendor ID, which can be reset by (temporarily) deleting all apps from a given vendor, then reinstalling.
It may be necessary to completely wipe the device occasionally to clear out any persistent iOS Keychain items or iCloud Key-Value Stores, especially for apps that have been deleted.
New in iOS 9, apps are prevented/discouraged from determining what other apps are running/installed on your device. Prior to iOS 9, minimizing installed apps (to a small set of common apps) and frequent force-quitting apps was about the only defense against this.
Also new in iOS 9 will be the ability to block trackers. Rather than minimizing the fingerprinting attack surface, this addresses the ability of (3rd-party) trackers to detect that surface. It will be interesting to see how this develops.
Use a common browser to avoid a rare UA. Presumably for now this is still iOS 8 Safari (use in Private Browsing mode).
Change your IP address often, or use Tor or another IP-obfuscating tactic (e.g., an always-on VPN). Preferably use an IP address that many other users/devices are using as an exit IP address.
