New research by two security researchers at the software company Mysk shows that Apple collects detailed information about iPhone users through its own apps even when tracking is turned off, a direct contradiction to what Apple has always said about protecting the privacy of its users.
This was discovered by Tommy Mysk and Talal Haj Bakry, who are application developers and security researchers at the Mysk software company, where they implemented the (Stop Tracking) feature called (iPhone Analytics) in various iPhone applications, such as Store, the Music app, the Books app, the Apple TV app, and the Stocks app, and they found that all of these apps continued to collect data even though the feature was turned on.
According to what the researchers published on Twitter, the App Store records everything the user does inside it in real-time, including what he clicks on, what he searches for, as well as the amount of time the user spends on each page, the ads he viewed, in addition to how It arrives on an application page.
In addition to collecting all this data, the researchers also found that the App Store collects information about the user’s phone, such as
phone identification numbers such as IMEI number and (Mac Address), the type of phone they use, screen size and resolution, keyboard language, and method of the Internet connection of the phone.
You can see for yourself what the data looks like in this video the researchers posted, documenting the data collected by the App Store:
Musk told Gizmodo: “Unsubscribing or turning off personalization options did not reduce the amount of detailed analytics the app was sending. That’s in data collection.”
When the researchers examined some other Apple apps for comparison, they found that the Health and Wallet apps do not collect any statistical or analytical data about user activity, regardless of whether the (iPhone Analytics) setting is turned on or off.
Whereas other Apple apps send analytics data and share consistent identification numbers, allowing Apple to track user activity across its services in real-time.
For example, they found that the Stocks app sends Apple a list of stocks the user is following, the names of stocks the user has viewed or searched for, as well as browsing time, as well as a history of any news articles or reports the user viewed within the app.
According to the researchers’ analysis, they found that all the data is sent to a web address called analytics ( https://stocks-analytics-events.apple.com/analyticseventsv2/async ). This transmission was separate from the iCloud connection necessary to sync user data across devices. Unlike other apps, Stocks sent different identification numbers and less detailed information about the device.
The researchers conducted this research on two different iPhones. They first used an unprotected iPhone running iOS 14.6, which allowed them to decrypt and scan data sent to Apple.
They used this version of iOS precisely because Apple launched App Tracking Transparency in iOS 14.5, a feature that allows users to choose which apps are tracking them.
The researchers then also examined a normal (protected) iPhone running iOS 16 – the latest operating system Apple released – reinforcing their findings. They found no difference between the two phones in sending data, seeing that the same apps in iOS 16 send similar packets of data to the same Apple web addresses.
The results showed that the data was transferred at the same times and under the same conditions, and turning the available privacy settings on or off didn’t change anything.
Apple has always emphasized the importance of user data privacy, especially with the introduction of the app tracking transparency feature in iOS 14.5, and its support page on ( Device Analytics and Privacy ) states that the user must consent to the collection of such information from devices.
Apple states on its support page: “None of the information collected personally identifies you. Personal data is either not logged at all, is subject to privacy techniques such as (differential privacy), or is omitted from any reports before it is sent by Apple.”
But the search results prove that Apple is accessing data that the user may not want to know about, for example the data sent can reveal the fact that the user is looking at applications related to mental health, addiction, sexual orientation, and religion for things that they may not want to send to the company’s servers.
“We would expect a company like Apple to consider data privacy a human right, to collect data that is public and not so private, and to steer clear of the nitty-gritty of what users do,” the researchers said on Twitter.
It is impossible to know what Apple is doing with the data without an explanation from it, and as is often the case; Apple has been silent so far. It has never responded to multiple requests for comment on this research, and we will update the report with any information the company provides.
