For all of Apple’s talk about how private your iPhone is, the company vacuums up a lot of data about you. iPhones do have a privacy setting that is supposed to turn off that tracking. According to a new report by independent researchers, though, Apple collects extremely detailed information on you with its own apps even when you turn off tracking, an apparent direct contradiction of Apple’s own description of how the privacy protection works.
The iPhone Analytics setting makes an explicit promise. Turn it off, and Apple says that it will “disable the sharing of Device Analytics altogether.” However, Tommy Mysk and Talal Haj Bakry, two app developers and security researchers at the software company Mysk, took a look at the data collected by a number of Apple iPhone apps—the App Store, Apple Music, Apple TV, Books, and Stocks. They found the analytics control and other privacy settings had no obvious effect on Apple’s data collection—the tracking remained the same whether iPhone Analytics was switched on or off.
“The level of detail is shocking for a company like Apple,” Mysk told Gizmodo.
🧵
1/5
The recent changes that Apple has made to App Store ads should raise many #privacy concerns. It seems that the #AppStore app on iOS 14.6 sends every tap you make in the app to Apple.👇This data is sent in one request: (data usage & personalized ads are off)#CyberSecurity pic.twitter.com/1pYqdagi4e— Mysk 🇨🇦🇩🇪 (@mysk_co) November 3, 2022
The App Store appeared to harvest information about every single thing you did in real time, including what you tapped on, which apps you search for, what ads you saw, and how long you looked at a given app and how you found it. The app sent details about you and your device as well, including ID numbers, what kind of phone you’re using, your screen resolution, your keyboard languages, how you’re connected to the internet—notably, the kind of information commonly used for device fingerprinting.
“Opting-out or switching the personalization options off did not reduce the amount of detailed analytics that the app was sending,” Mysk said. “I switched all the possible options off, namely personalized ads, personalized recommendations, and sharing usage data and analytics.”
Apple did not respond to multiple requests for comment. We’ll update the story with any information the company provides.
Gizmodo requested that Mysk examine a few other Apple apps for comparison. The researchers said that the Health and Wallet apps, for example, didn’t transmit any analytics data at all, regardless of whether the iPhone Analytics setting was on or off, whereas Apple Music, Apple TV, Books, the iTunes Store, and Stocks all did. Most of the apps that sent analytics data shared consistent ID numbers, which would allow Apple to track your activity across its services, the researchers found.
For example, the Stocks app sent Apple your list of watched stocks, the names stocks you viewed or searched for and time stamps for when you did it, as well as a record of any news articles you see in the app, according to Mysk’s analysis for Gizmodo. The information was sent to a web address labeled analytics, https://stocks-analytics-events.apple.com/analyticseventsv2/async. That transmission was separate from the iCloud communication necessary to sync your data across devices. Unlike the other apps, however, Stocks sent different ID numbers and far less detailed device information.
The researchers checked their work on two different devices. First, they used a jail broken iPhone running iOS 14.6, which allowed them to decrypt the traffic and examine exactly what data was being sent. Apple introduced App Tracking Transparency in iOS 14.5, cuing users to decide whether or not to give their data to individual apps with the prompt “Ask app not to track?”
The researchers also examined a regular iPhone running iOS 16, the latest operating system, which bolstered their findings. There is little reason to think that the jail broken phone would send different data, they said, but On iOS 16, they saw the same apps sending similar packets of data to the same Apple web addresses. The data was transmitted at the same times under the same circumstances, and turning the available privacy settings on and off likewise didn’t change anything. The researchers couldn’t examine exactly what data was sent because the phone’s encryption remained intact, but the similarities suggest this may be standard behavior on the iPhone.
Keeping tabs on your behavior rubs some people the wrong way, regardless of the information in question. But this data can be sensitive. In the App Store, for example, the fact that you’re looking at apps related to mental health, addiction, sexual orientation, and religion can reveal things that you might not want sent to corporate servers.
It’s impossible to know what Apple is doing with the data without the company’s own explanation, and as is so often the case, Apple has been silent so far. It’s entirely possible that Apple doesn’t use the information if you turn the settings off, but that’s not how the company explains what the settings do in its privacy policy.
You can see what the data looks like for yourself in the video Mysk posted to Twitter, documenting the information collected by the App Store:
This isn’t an every-app-is-tracking-me-so-what’s-one-more situation. These findings are out of line with standard industry practices, Mysk says. He and his research partner ran similar tests in the past looking at analytics in Google Chrome and Microsoft Edge. In both of those apps, Mysk says the data isn’t sent when analytics settings are turned off.
Privacy is one of the main issues that Apple uses to set its products apart from competitors. It emblazoned 40-foot billboards of the iPhone with the simple slogan “Privacy. That’s iPhone.” and ran the ads across the world for months. But the company is slowly introducing many of the internet’s privacy issues into the once sacrosanct Apple ecosystem. Apple is working hard to build an advertising empire. Apple’s ad network runs on your personal information just like the ones Google and Meta operate, albeit in a more reserved way.
Along the way, Apple developed a very convenient definition of what privacy means that lets the company criticize its rivals’ privacy practices while harvesting your data for similar purposes. Apple says you shouldn’t think of what it does as “tracking.” According to the company’s website:
Apple’s advertising platform does not track you, meaning that it does not link user or device data collected from our apps with user or device data collected from third parties for targeted advertising or advertising measurement purposes, and does not share user or device data with data brokers.
In other words, it’s not tracking unless you’re linking together data collected from services owned by different companies. If only one company—Apple—is collecting the data, then by Apple’s definition, it’s not tracking. Of course, that’s different from the definition of tracking that everyone else seems to use.
It’s no surprise that Apple is collecting analytics information, the practice is laid out in the privacy policy, and almost every app and device you use probably uses your data for analytics. But Mysk said he’s stunned at the level of detail. “I expected from a company like Apple, that believes that privacy is a fundamental human right, to collect more generic analytics,” Mysk said.
What happens on your iPhone stays on your iPhone, unless you count the mountains of information your iPhone sends to Apple.