Email or username:

Password:

Forgot your password?
MyskπŸ‡¨πŸ‡¦πŸ‡©πŸ‡ͺ

This screenshot shows the app analytics data sent by two different #iOS apps: Duolingo and Tinder. What's the likelihood that both apps are installed on the same device? πŸ’―? 🀯

Both apps use Unity Ads. The data in the screenshot is collected by the Unity Ads framework included in these two apps, and any app that uses Unity Ads. The data is sent to the same Unity server. As a result, Unity Ads can easily fingerprint users and track them across different apps.

#privacy #tracking #Apple #infosec

This screenshot shows the app analytics data sent by two different #iOS apps: Duolingo and Tinder. The data collected is very detailed and almost identical. This can accurately indicate that both apps are installed on the same device.
28 comments
MyskπŸ‡¨πŸ‡¦πŸ‡©πŸ‡ͺ

@lucas Yes. The server seems to be fixed. but it has several numbered replicas.

Lukas MΓΌller

@mysk Why do apps get such precise values at all instead of simply rounding them to the whole number or oke decimal place?

MyskπŸ‡¨πŸ‡¦πŸ‡©πŸ‡ͺ

@lukasmueller Good question, but do you think it will make a difference if the system returns 0.35 instead of 0.3499999940395355?
Other properties combined would still work well at identifying the device.

Lukas MΓΌller

@mysk Despite millions of users, tracking would most likely still be possible even with rounded values. Do apps send this data even if app tracking is deactivated via the system prompt?

MyskπŸ‡¨πŸ‡¦πŸ‡©πŸ‡ͺ

@lukasmueller Yes, it is sent despite opting out. App tracking is also denied. You can see that in the screenshot:

"unifiedconfig.pii.advertisingTrackingId":00000000000000000

The value is zeros because I denied the apps access to tracking.

Lukas MΓΌller

@mysk I completely overlooked that. Thank you!
I'm always confirmed that it's right to filter tracking domains at DNS level to at least block known 3rd party trackers and advertisers.

MyskπŸ‡¨πŸ‡¦πŸ‡©πŸ‡ͺ

@lukasmueller No worries πŸ™
Advanced users can always find a way. Average users won't do any blocking and they are the vast majority of users. I think if average users also used DNS blocking, trackers would change tactics and start alternating their domain names.

Lukas MΓΌller

@mysk Even as an experienced user, one is unfortunately very limited in options, as there is always a compromise between data protection and usability. Especially on mobile devices and when using apps, the possibilities are limited. In addition, the major players don't need third-party tracking, and built-in tracking can easily be served by the content domains

Mark Hansen

@mysk @lukasmueller this looks like just floating point error. Look at all the 9s in a row; floating point can’t exactly represent 0.35 so you get this close number. Looks like the system already rounding to 1/100

richh

@lukasmueller @mysk Very good question. I wouldn’t be surprised if the backend of the Ad server is truncating them anyway - matching on 5 significant figures would be easier than what you’ve got there. I’m surprised they’re identical actually, unless the OS API isn’t entirely real time. What are the odds of two apps requesting that data one after the other and it actually being the same to that level of precision?

Stu

@mysk Interesting. Curious, I checked the DDG app tracking protection and it is indeed blocking Unity (and Google) telemetry from Duolingo.

Stu

@tod @mysk it is, yes. Alas, only on Android I think, but it creates an on-device VPN which prevents trackers in apps phoning home.

14mission

@mysk Interesting that they're logging this:

JΓΈrn

@mysk @bert_hubert Why does iOS expose these variables in so much detail? And why should an app see the OS uptime at all?

andrewtj

@bert_hubert @jornane @mysk I use OS uptime to make caches behave correctly regardless of system clock changes.

iOS inherited a lot of from the Mac which grew up in more innocent times. The Address Book API is a good example. On the Mac it didn't matter that any app could do what it liked. On iOS within 3 or 4 years apps were abusing it which lead to changes on both platforms.

As it happens the uptime APIs are seeing more scrutiny at the moment:

developer.apple.com/news/?id=z
developer.apple.com/documentat

@bert_hubert @jornane @mysk I use OS uptime to make caches behave correctly regardless of system clock changes.

iOS inherited a lot of from the Mac which grew up in more innocent times. The Address Book API is a good example. On the Mac it didn't matter that any app could do what it liked. On iOS within 3 or 4 years apps were abusing it which lead to changes on both platforms.

JΓΈrn

@andrewtj @bert_hubert @mysk Users don’t change the system clock that often in my experience. Why do you need to be robust against that? Especially since they can reboot their devices, which then also messes with your cache.

andrewtj

@jornane @bert_hubert @mysk Please be a little generous. The user isn't the only thing that changes the system clock and not all caches are persisted.

Tom Lokhorst

@jornane @mysk @bert_hubert The App Store is adding the requirement to specify reasons for using specific APIs that are often used for fingerprinting. Uptime is one of the APIs that won't be allowed without a reason as of Spring 2024. developer.apple.com/documentat

DELETED

@mysk Do you know if this is still collected, when the user has disabled the option ”Allow apps to ask to track” in settings->privacy->tracking ?

Huriken

@mysk Why would anybody ever need so many precision digits for the battery or brightness level?! Like, except for tracking...

OS manufacturers should not provide so precise (and thus unique) numbers, but just something like 0.35. The end-user cannot see it more precise either (battery level is usually given in %, brightness doesn't even have numbers, but just a slider) and there's no use differentiating more precise numbers...

richh

@mysk What approach are you using for those captures? A proxy/MITM with Wireshark or something on-device? Presumably the apps are using TLS, so having a root certificate installed is necessary to MITM them?

Go Up