Apple has announced an extra hoop developers have to jump through to get their apps approved on its App Store. Soon, developers of apps that use certain APIs will have to clarify their reasons for using them when submitting those apps.
Apple is trying to close some fingerprint loopholes here. The term “fingerprinting” in this context refers to various techniques for learning information about a device or its user and tracking them across multiple unrelated apps or websites.
It’s something that Apple has said isn’t allowed in iPhone apps for a while, and the company introduced the controversial App Tracking Transparency initiative in 2021 to allow users to choose whether things like mobile ad networks (for example) could trace them in this way.
That said, some more creative and covert forms of fingerprinting have been outlawed since then, even if users choose to be tracked — and they include abuse of the APIs in question here.
Smart developers can find ways to use the features, information, or tools they offer to track users in exactly the kinds of ways Apple has tried to stop — even if that wasn’t the main purpose of the API. The APIs that developers will need to justify do things like look at file timestamps or look at system startup times, among others. In Apple’s words, these apps “can be abused to access device signals to attempt to identify the device or user, also known as device fingerprinting.”
Of course, technically developers can still lie and say they’re using an API for one thing when they’re actually using it for something else. Apple addresses it with the somewhat vague policy that “stated reasons must be consistent with your app’s functionality as presented to users.”
It won’t be a perfect system, but it’s likely that it will at least allow Apple to reduce the practice of fingerprinting.
Apple previously stated that this change was coming during WWDC 2023, but the company revealed more details and a specific timeline this week.
The rollout will be slow, giving developers plenty of time to react — at least those who are able to actively maintain their apps. Starting this fall, developers who upload an app or app update that uses one of these APIs will receive a notification that they will soon have to provide a reason.
In the spring of 2024, apps that have not done this will be rejected. It will be as easy as selecting a pre-approved list from a drop-down menu when submitting an app for some developers. Still, others may have to do more extensive work – especially those who have exploited this loophole need to do some development work to change their applications to get them to stop doing it if they can’t make a case, of the approved grounds apply. Those who feel that the pre-authorized reasons fail to include their own legitimate, non-fingerprinting reason for using an API may contact Apple via a form to request that a new plot be approved.