According to Forbes, Apple recently rejected updates to apps that do not adhere to its iOS 14 privacy features. We have known since Apple announced App Tracking Transparency (ATT) that large changes would occur in how users are tracked for the purposes of advertising. With these initial rejections — ahead of iOS 14.5 and the official introduction of ATT — Apple is putting their foot down in the fight for user privacy.

In this post, we’ll cover the following:

  • What caused these app update rejections
  • How user privacy is here to stay
  • How Embrace predicted this situation
  • Why it’s important to choose vendors that align with the interests of your applications and your users

What caused these app update rejections

The iOS developers facing these app rejections were given the following reason: “Your app uses algorithmically converted device and usage data to create a unique identifier in order to track the user.”

Mobile marketing analyst Eric Seufert pointed out that mobile measurement company Adjust, the most prominent mobile attribution vendor, is the primary source of the problem.

Mobile apps use Adjust to measure the effectiveness of advertising campaigns, and Adjust is a big player in the space. AppFigures estimates that 18% of the apps on the App Store and 11% of the apps on Google Play that use attribution providers use Adjust.

The source of the problem is Adjust using a technique called device fingerprinting, where they combine several data points into a unique identifier for the user. Examples of this type of data include total disk space, battery level, uptime, and OS version. Note that collecting this data individually can be incredibly valuable for debugging purposes, but the real issue is the intent behind the collection. And as line 285 here shows, it seems like Adjust was collecting this information and concatenating it together for the purposes of fingerprinting.

NSString *concatenated = [NSString stringWithFormat:@"%@%@%@%@%@%@%@%@%@%@%@%@%@",    
                              binaryLanguageFormatted,
                              binaryHardwareNameFormatted,
                              binaryOsVersionMajorFormatted,
                              binaryOsVersionMinorFormatted,
                              binaryOsVersionPatchFormatted,
                              binaryMccFormatted,
                              binaryMncFormatted,
                              binaryChargingStatusFormatted,
                              binaryBatteryLevelFormatted,
                              binaryTotalSpaceFormatted,
                              binaryFreeSpaceFormatted,
                              binarySystemUptimeFormatted,
                              binaryLastBootTimeFormatted];

Adjust removed this code on April 1st, 2021 from their iOS SDK in order to pass App Store approval.

How user privacy is here to stay

If the introduction of GDPR has taught the average user anything, it’s the sheer amount of data collection that is happening in their digital lives. Those annoying cookie consent popups are a multi-daily reminder that tracking is simply everywhere. With Apple Tracking Transparency, mobile app users will now be greeted with similar popups for every app.

For the first time ever, tracking users will be opt-in, and some industry estimates expect as low as 10-15% of users to opt-in to be tracked across apps and websites.

There’s a long history of people using unique identifiers in iOS for marketing purposes, and slowly but surely, Apple has shut them all down.

  • Unique Device Identifier (UDID) is a unique identifier for a single device that is fetched from Apple servers when a user tries to activate the device using iCloud or the Setup app. It was introduced in 2007 and immediately was used by third parties to correlate these UDIDs with other data from multiple apps to build profiles of users. Apple eventually deprecated the use of UDIDs.
  • Media Access Control Address (MAC address) is a unique identifier that is assigned to devices that need to access the internet. Third-parties started using the MAC address to track users after the UDID got removed. Starting in iOS 11, Apple’s solution was to make the MAC address available to apps to be set to all zeros to block its usage.
  • Shared Pasteboards are a way for users to share pasteboard data across apps and devices. We’ve written about this before, but starting in iOS 14, users now get notified if an app accesses general pasteboard content. TikTok was caught grabbing the contents of users’ clipboards every 1-3 keystrokes, and, facing public backlash, removed this functionality.
  • Identifier for Advertisers (IDFA) was Apple’s solution to provide the marketing ecosystem a way to track users for attribution. While users could manually opt-out of this tracking, the difference with iOS 14.5 will be the change towards IDFA being opt-in.

Advertisers are scrambling for a solution to allow them to keep business going as usual. While Adjust writes about workarounds like creating an “attribution hash” to circumvent App Tracking Transparency, companies like Facebook have tried to build up anti-Apple PR by running newspaper ads accusing them of hurting small businesses and breaking the free internet.

Where there’s enough smoke, there’s fire. Mobile advertisers are realizing just how untenable their current position is.

How Embrace predicted this situation

We’ve written before about the growing importance of user privacy. Embrace’s mission since our inception has been to be completely aligned to the mobile teams we partner with and, more importantly, their users. There is a wealth of actionable, nonintrusive data that, if collected responsibly and presented well, provides a wonderful opportunity for mobile teams to identify and solve the issues that lead to poor user experiences.

We are private by default:

  • We are GDPR-compliant.
  • We do not collect or store Personally Identifiable Information (PII).
  • We do not collect full IP addresses, instead only transmit enough of the IP to classify the general region of a user. This way, mobile companies can evaluate how their application performs by region.
  • We do not record video.
  • We only collect basic networking data. Data like query params, headers, and bodies can easily contain PII, so we do not collect them by default.
  • We do not concatenate separate data sources into an identifier.
  • We do not sell or traffic in user data.

We collect data for the sole purpose of improving user experiences. We love mobile and see the bright future it has to change so many parts of our lives. It is crucial that we always look forward and ask ourselves if we are doing right by our users.

Your users are the future of your business — not the product!

Why it’s important to choose vendors that align with the interests of your applications and your users

As Apple’s new privacy policy in iOS 14 has shown, the writing is on the wall for vendors that willfully disregard user privacy. You are responsible for all the code you ship, whether you wrote it or someone else did. You put your business at stake when you introduce third-party SDKs that are not aligned to your users.

This is a defining moment in the future of your mobile company.

Consider vendors that care about your users.

At Embrace, we care about them so much that we want to empower your teams to solve every single issue that affects them.

How Embrace helps mobile teams

Embrace is a data driven toolset to help mobile engineers build better experiences. We are a comprehensive solution that fully reproduces every user experience from every single session. Your team gets the data it needs to proactively identify, prioritize, and solve any issue that’s costing you users or revenue.

Want to see how Embrace can help your team grow your mobile applications with best-in-class tooling and world-class support? Request a demo and see how we help teams set and exceed the KPIs that matter for their business!