New study shows that the default apps collect data even when supposedly disabled, and this is hard to switch off
'Privacy. That’s Apple,’ the slogan proclaims. New research from Aalto University in Finland begs to differ.
The researchers studied eight default apps, the ones that are pretty much unavoidable on a new device, be it a computer, tablet or mobile phone: Safari, Siri, Family Sharing, iMessage, FaceTime, Location Services, Find My and Touch ID. They collected all publicly available privacy-related information on these apps, from technical documentation to privacy policies and user manuals.
'Due to the way the user interface is designed, users don’t know what is going on. For example, the user is given the option to enable or not enable Siri, Apple’s virtual assistant. But enabling only refers to whether you use Siri’s voice control. Siri collects data in the background from other apps you use, regardless of your choice, unless you understand how to go into the settings and specifically change that,’ says Associate Professor Janne Lindqvist, head of the computer science department at Aalto.
'The online instructions for restricting data access are very complex and confusing, and the steps required are scattered in different places. There’s no clear direction on whether to go to the app settings, the central settings – or even both,’ says Amel Bourdoucen, a doctoral researcher at Aalto.
In addition, the instructions didn’t list all the necessary steps or explain how collected data is processed.
The researchers also demonstrated these problems experimentally. They interviewed users and asked them to try changing the settings.
‘It turned out that the participants weren’t able to prevent any of the apps from sharing their data with other applications or the service provider,’ Bourdoucen says.
As a current Apple user, using a DNS tracker blocker (on-device, Adguard’s app switching between their DNS and Mullvad’s DNS occasionally) blocks a lot of tracker and data collection pings to Apple. Even if you block it via regular dns, iOS can circumvent your VPN or DNS provider in times of “low connectivity”. Unsure if that means your actual connection is low, or if those analytics not connecting counts as them detecting “low connectivity”. Regardless, even with data collection blocking in place, iOS occasionally will just circumvent it and collect anyway under normal circumstances.
Haven’t tried a pi-hole or similar yet, that could probably fully prevent it but it’ll just happen when I’m on mobile data or someone elses WiFi then.
Edit: I’m switching back to Android soon but it was interesting to get first-hand experience at how trackers on Apple products work.
Interesting (kinda) coincidence. I’ve just switched from Android back to iPhone, after about 10 years away from the platform.
But I use an always-on Wireguard VPN back to my home network, with my DNS set to my Pi-hole servers and my firewall rules blocking access to all external DNS servers, except from my Pi-holes for upstream resolution.
I’m yet to do some p-caps to see what I’m missing in this setup - while I’m confident it did a great job of protecting me from a lot of Google’s data-harvesting shenanigans, I’m yet to investigate what I need to do to achieve a similar outcome for my iPhone.
Interesting to see the different approaches they both take, Google has way more trackers but they’re easier to block, Apple has less but they’re much harder to block.
I haven’t noticed the iPhone doing that thing where when trackers are blocked it keeps trying to ping them over and over draining the battery endlessly, iirc that happens on some manufacturers for Android, but I wonder if that’s just because it looks like it’s blocking but after a few tries circumvents the dns, which wouldn’t appear in the logs in the dns app? I’ll see 3 blocked pings and then it stops, so maybe it gives up, not fully sure. I should dig deeper into it before I trade the phone in and actually monitor my whole connection to see how often they slip through.
Oh, and a random tip since you said you’ve got an iPhone again now, in settings > privacy & security > tracking, if you disable “Allow Apps to Request to Track”, it prevents non-Apple apps from tracking entirely cross-site/apps. While it sounds a bit like that just allows them to track without asking consent from you, it’s actually making them default to deny tracking instead of asking. They can still do analytics but they can’t track anything outside of their app sandbox.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !technology@beehaw.org
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
As a current Apple user, using a DNS tracker blocker (on-device, Adguard’s app switching between their DNS and Mullvad’s DNS occasionally) blocks a lot of tracker and data collection pings to Apple. Even if you block it via regular dns, iOS can circumvent your VPN or DNS provider in times of “low connectivity”. Unsure if that means your actual connection is low, or if those analytics not connecting counts as them detecting “low connectivity”. Regardless, even with data collection blocking in place, iOS occasionally will just circumvent it and collect anyway under normal circumstances.
Haven’t tried a pi-hole or similar yet, that could probably fully prevent it but it’ll just happen when I’m on mobile data or someone elses WiFi then.
Edit: I’m switching back to Android soon but it was interesting to get first-hand experience at how trackers on Apple products work.
Interesting (kinda) coincidence. I’ve just switched from Android back to iPhone, after about 10 years away from the platform.
But I use an always-on Wireguard VPN back to my home network, with my DNS set to my Pi-hole servers and my firewall rules blocking access to all external DNS servers, except from my Pi-holes for upstream resolution.
I’m yet to do some p-caps to see what I’m missing in this setup - while I’m confident it did a great job of protecting me from a lot of Google’s data-harvesting shenanigans, I’m yet to investigate what I need to do to achieve a similar outcome for my iPhone.
Hope it goes well!
Interesting to see the different approaches they both take, Google has way more trackers but they’re easier to block, Apple has less but they’re much harder to block.
I haven’t noticed the iPhone doing that thing where when trackers are blocked it keeps trying to ping them over and over draining the battery endlessly, iirc that happens on some manufacturers for Android, but I wonder if that’s just because it looks like it’s blocking but after a few tries circumvents the dns, which wouldn’t appear in the logs in the dns app? I’ll see 3 blocked pings and then it stops, so maybe it gives up, not fully sure. I should dig deeper into it before I trade the phone in and actually monitor my whole connection to see how often they slip through.
Oh, and a random tip since you said you’ve got an iPhone again now, in settings > privacy & security > tracking, if you disable “Allow Apps to Request to Track”, it prevents non-Apple apps from tracking entirely cross-site/apps. While it sounds a bit like that just allows them to track without asking consent from you, it’s actually making them default to deny tracking instead of asking. They can still do analytics but they can’t track anything outside of their app sandbox.
Thanks for that - great tip for new players.