Apple demands app makers explain use of sensitive APIs

Apple has told developers writing apps for its shiny stuff that they will soon have to explain why their programs use certain sensitive APIs.

Cupertino claims it's doing so to discourage app makers from trying to track users through digital fingerprinting.

"Some APIs that your app uses to deliver its core functionality — in code you write or included in a third-party SDK — have the potential of being misused to access device signals to try to identify the device or user, also known as fingerprinting," Apple's developer documentation explained on Thursday. "Regardless of whether a user gives your app permission to track, fingerprinting is not allowed."

Fingerprinting in the context of online activity refers to a way to create a unique identifier based on a device's software and hardware characteristics. With enough data points, the different settings provide sufficient entropy to distinguish most users from one another. The website AmIUnique.org demonstrates how this works for web browsers.

Over the past decade - as Apple, Google, and others have taken steps to improve privacy on the web and in native apps - fingerprinting has become more common, presumably to retain access to tracking information denied by privacy defenses.

As researchers from the University of Iowa, Mozilla, and the University of California at Davis observed in a 2020 report [PDF], only 40 of the top 10,000 websites used fingerprinting techniques in 2013. By 2019, there were fingerprinting scripts on about 37 percent of the top 500 websites and by 2021 another study claimed over two thirds of the top 10,000 websites perform fingerprinting.

Fingerprinting is often used by marketers for non-consensual tracking; it also has more generally accepted applications, like network security management and fraud prevention.

• Apple dev roundup: Weather data meets privacy, and other good stuff
• Google's browser security plan slammed as dangerous, terrible, DRM for websites
• Makers of ad blockers and browser privacy extensions fear the end is near
• Apple owes Brit iOS app devs millions from excessively high commission, lawsuit claims

Apple announced its API privacy initiative at its Worldwide Developer Conference in June. Come "Fall 2023" – possibly in conjunction with the expected iOS 17 release in September or October – developers using "Required reason APIs" will have to supply a valid reason, from a limited list of accepted ones, to request device data like the system boot time, the amount of available disk space, and user default settings.

Developers in their privacy manifest file must include a reason code that corresponds with an approved reason. For example, "CA92.1" is the code associated with the sole valid reason for accessing UserDefaults data. The reason description explicitly disallows reading user data from other apps, or writing user data to make it available in another app.

"Declare this reason to access user defaults to read and write information that is only accessible to the app itself," Apple's documentation explains. "This reason does not permit reading information that was written by other apps or the system, or writing information that can be accessed by other apps."

Apple will also consider reasons not on its official list through a petition process – the developer must submit a form and convince a company representative that the intended use isn't abusive.

It isn't clear whether Apple, as part of its app review process or in response to user complaints, will compare declared reasons with what application code actually does. But if Apple chooses to investigate, a developer's stated reason for using an API should make non-compliant code easier to spot. ®