Manzana boasts that his iPhone they do not allow anyone to spy on their users. iPhones have a setting of privacy which is supposed to disable that trace. However, according to a new report by independent researchers, Apple collects very detailed information about you with its own apps even when you turn off trackingan apparent direct contradiction to Apple’s own description of how privacy protection works.
When you set up iPhone, the phone asks you a question: “Do you want to share data with Apple to improve the use of apps?” The iPhone Analytics configuration makes an explicit promise. Turn it off and Apple says it will “disable Device Analytics sharing altogether”. However, Tommy Mysk and Talal Haj Bakry, two application developers and security researchers at the Mysk software company, took a look at the data collected by various Apple apps for iPhone: App Store, Apple Music, Apple TV, Books, and Stocks. They found that analytics control and other privacy settings had no apparent effect on Apple’s data collection: tracking remained the same whether iPhone Analytics was turned on or off.
The App Store seemed to collect information about everything you did in real time, including what you tapped, what apps you searched for, the ads you saw and how long you looked at a certain app and how you found it. The app also sends details about you and your device, such as ID numbers, the type of phone you use, your screen resolution, your keyboard languages, and how you connect to the Internet.
“Turning off the customization options did not reduce the amount of detailed analytics data the app sent,” says Mysk. “I turned off all possible options, that is, personalized ads, personalized recommendations and the sharing of usage and analytics data.”
The researchers said the apps Health and Portfolio, for example, did not transmit any analytical data, regardless of si iPhone Analytics setting was on or off, while Apple Music, Apple TV, Books, iTunes Store, and Stocks were on. The researchers found that most of the apps that sent analytics data shared consistent ID numbers, allowing Apple to track your activity across all of its services.
For example, the ‘Stock Market’ application sent Apple the list of observed values, the names of the securities you viewed or searched for and the timestamps of when you did so, as well as a record of the news articles you viewed in the app, based on Mysk’s analysis for Gizmodo. The information was sent to a web address called analytics, https://stocks-analytics-events.apple.com/analyticseventsv2/async. That transmission was separate from the iCloud communication needed to sync your data between devices. However, unlike the other apps, Stocks sent different ID numbers and much less detailed device information.
The researchers checked their work on two different devices. First, they used a jailbroken iPhone running iOS 14.6, allowing them to decipher the traffic and examine exactly what data was being sent. Apple introduced App Tracking Transparency in iOS 14.5, prompting users to decide whether or not to give their data to individual apps with the prompt “Ask app not to track?”
researchers they also examined a regular iPhone running iOS 16, the latest operating system, which reinforced their conclusions. There’s little reason to think the jailbroken phone would send different data, they said, but in iOS 16, they saw the same apps send similar data packets to the same Apple web addresses. Data was transmitted at the same times and under the same circumstances, and turning available privacy settings on and off didn’t change anything either. The researchers couldn’t examine exactly what data was sent because the phone’s encryption remained intact, but the similarities suggest this may be standard behavior on the iPhone.
The fact that your behavior is monitored bothers some people, regardless of the information in question. But this data can be sensitive. On the App Store, for example, searching for apps related to mental health, addiction, sexual orientation, and religion can reveal things you might not want sent to corporate servers.