Security researchers: Apple’s App Store tracking can be linked to iCloud ID

German-Canadian security researchers have found indications that Apple could also link the analysis data collected in the App Store app to a user’s Apple ID using an additional identifier.

At the beginning of November, the experts showed that Apple tracked user actions in the App Store app and sent them to its servers in real time. Now the group “Mysk” shared on Twitter withthat the analysis data can apparently also be linked to the Apple ID of the user. Apple’s approach would thus contradict its own statements on the data protection of the device analysis data, according to which a personal assignment of the data is not possible.

The two researchers Tommy Mysk and Talal Haj Bakry had already tracked the data traffic between the App Store and Apple for their first discoveries, which became public in early November. In order to avoid the usual encryption of data transfers, they used an iPhone with a jailbreak version of iOS 14.6. Even if they cannot directly check later iOS versions, they show a connection behavior that suggests that Apple is still doing this.

Apple takes a close look at how users use the App Store and transfers the data to its servers as JSON. According to the information, the data contained information about what users call up in the App Store, how long they stay on the pages of individual apps, as well as data about the devices used, language settings and storage space. The information could be linked to one another via the session ID.

The current discovery revolves around an ID called “Directory Services Identifier” (dsId), which, according to research by “Mysk”, allows conclusions to be drawn about a user’s iCloud account. In theory, Apple could even assign the analysis data to individual people and their data stored at Apple. The security researchers prove this with screenshots showing data transfers to the iCloud API. The “DSID” also appears there. Despite different upper and lower case, it is the same identifier.

According to the US technology blog Gizmodo, a class action lawsuit has been filed against Apple in California based on the experts’ statements on the collection of analysis data in the App Store app. The plaintiffs accuse Apple of violating California privacy laws by collecting analytics data even though this has been disabled in the iPhone’s settings.

There is also criticism from competitors. The App Tracking Transparency (ATT) forces developers to obtain the user’s consent before data tracking and to refrain entirely if desired – the App Store app, on the other hand, makes no difference, the security researchers claim.

Apple itself has not yet commented on the subject to the media.


More from Mac & i

More from Mac & i


More from Mac & i

More from Mac & i


(mki)

To home page

Leave a Comment