Want to ‘Fingerprint’ an iPhone User? Tell Us Why, Says Apple

Apple this fall is rolling out new API requirements, forcing app developers to explain exactly why they need to collect certain points of data to “fingerprint” their users.

App creators who do business with Apple through the iOS and Mac App Stores will no longer be able to collect user data willy-nilly, starting this autumn, Apple says in an update to its Developer portal.

“Apple is committed to protecting user privacy on our platforms,” the tech giant says. “We know that there are a small set of APIs that can be misused to collect data about users’ devices through fingerprinting, which is prohibited by our Developer Program License Agreement.”

An Application Programming Interface, or API for short, is a type of software interface – basically a set of definitions and protocols – for building and integrating software. During development, programmers can “call” different components of an API to ensure a more seamless connection between various software parts.

“To prevent the misuse of these APIs […] developers will need to declare the reasons for using these APIs in their app’s privacy manifest,” Apple says. “This will help ensure that apps only use these APIs for their intended purpose.”

Since APIs can collect user data, they can also be used for “fingerprinting.” Fingerprinting means collecting varoius data points about a user and their device to compile a unique profile about the person.

The data  includes points such as IP address, screen resolution, language setting, fonts used, operating system type and version, processor type and speed, network information, battery level, etc.

Developers can use these tidbits to optimize app functionality, ensure seamless logins, as well as to protect the user’s security and privacy.

However, fingerprinting used carelessly or maliciously can have the exact opposite effect. A bad actor can use your fingerprint to bypass certain requests for access, such as CAPTCHA or two-factor authentication. This can lead to account takeover, impersonation and other nasty stuff.

Apple is now tightening its grip on API use in its walled garden, telling developers to state how their app uses a certain API and why.

“As part of this process, you’ll need to select one or more approved reasons that accurately reflect how your app uses the API, and your app can only use the API for the reasons you’ve selected,” the memo says.

In the next few months, devs will receive a kind reminder to provide that information in their app’ privacy manifest. Starting in spring 2024, Apple expects everyone to have incorporated the practice, so any new submissions will have to come bundled with the updated manifest.

Developers can review the list of APIs and approved reasons on the Apple Developer portal.