|
This screenshot shows the app analytics data sent by two different #iOS apps: Duolingo and Tinder. What's the likelihood that both apps are installed on the same device? π―? π€― Both apps use Unity Ads. The data in the screenshot is collected by the Unity Ads framework included in these two apps, and any app that uses Unity Ads. The data is sent to the same Unity server. As a result, Unity Ads can easily fingerprint users and track them across different apps. 28 comments
@lucas Yes. The server seems to be fixed. but it has several numbered replicas. @mysk Why do apps get such precise values at all instead of simply rounding them to the whole number or oke decimal place? @lukasmueller Good question, but do you think it will make a difference if the system returns 0.35 instead of 0.3499999940395355? @mysk Despite millions of users, tracking would most likely still be possible even with rounded values. Do apps send this data even if app tracking is deactivated via the system prompt? @lukasmueller Yes, it is sent despite opting out. App tracking is also denied. You can see that in the screenshot: "unifiedconfig.pii.advertisingTrackingId":00000000000000000 The value is zeros because I denied the apps access to tracking. @mysk I completely overlooked that. Thank you! @lukasmueller No worries π @mysk Even as an experienced user, one is unfortunately very limited in options, as there is always a compromise between data protection and usability. Especially on mobile devices and when using apps, the possibilities are limited. In addition, the major players don't need third-party tracking, and built-in tracking can easily be served by the content domains @mysk @lukasmueller this looks like just floating point error. Look at all the 9s in a row; floating point canβt exactly represent 0.35 so you get this close number. Looks like the system already rounding to 1/100 @lukasmueller @mysk Very good question. I wouldnβt be surprised if the backend of the Ad server is truncating them anyway - matching on 5 significant figures would be easier than what youβve got there. Iβm surprised theyβre identical actually, unless the OS API isnβt entirely real time. What are the odds of two apps requesting that data one after the other and it actually being the same to that level of precision?  @mysk @bert_hubert Why does iOS expose these variables in so much detail? And why should an app see the OS uptime at all? @andrewtj @bert_hubert @mysk Users donβt change the system clock that often in my experience. Why do you need to be robust against that? Especially since they can reboot their devices, which then also messes with your cache. @jornane @bert_hubert @mysk Please be a little generous. The user isn't the only thing that changes the system clock and not all caches are persisted. @jornane @mysk @bert_hubert The App Store is adding the requirement to specify reasons for using specific APIs that are often used for fingerprinting. Uptime is one of the APIs that won't be allowed without a reason as of Spring 2024. https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api @sbug @mysk @mysk Why would anybody ever need so many precision digits for the battery or brightness level?! Like, except for tracking... OS manufacturers should not provide so precise (and thus unique) numbers, but just something like 0.35. The end-user cannot see it more precise either (battery level is usually given in %, brightness doesn't even have numbers, but just a slider) and there's no use differentiating more precise numbers... |
Gregory's Server
@mysk A network-level adblocker should stop it no?