WWDC 20
Build trust through better privacy
Main rules of privacy at Apple:
1. On-device processing - process data locally without sending it to the cloud
Once the data is sent off device, the user loses control over who can access it and what they can do with it
It also requires additional work to secure the user data in transit and when stored in the cloud
For ML, Apple is adding more and more ways to train models on device so that you don’t need to send user data somewhere in order to update the models
Private federated learning – sending only anonymized updates to the model to the server
Used previously for: Quick Type, Hey Siri, now also photo sharing, dictation, HomeKit object detection
2. Data minimization - build user’s trust by requesting and using only the data that you actually need
New APIs introduced this year to let you access less data to achieve what you need:
- Limited Photos Library
- PHPicker – new system photo picker UI
- Approximate location access option
For contacts, instead of requesting access to the full contacts database, you can set an appropriate textContentType
on a text field (.emailAddress
, .telephoneNumber
) and then rely on Quick Type autocompleting contact info when the user is typing
3. Security protections of the data
This year Apple platforms are adding support for:
- DNS over TLS
- DNS over HTTPS
Server name (SNI) encryption in TLS handshake ⭢ in progress
4. Transparency and control
Currently, privacy policy is required for all apps
Starting in fall 2020, when you submit an app to the App Store you will need to fill a form stating:
- what kind of data you collect
- how it is used
- if it’s linked to the user
- if it’s used to track users
This will be displayed on the app’s App Store page on all platforms
Remember, SDKs are a part of your app too 😅
"In the meantime, reach out to your SDKs' developers to make sure you understand how they may collect and use data"
On the web – ITP protects Safari users from trackers tracking their data, and now it will be able to present a “Privacy Report” showing what trackers specifically it has caught on each page
Clipboard usage:
iOS 14 will now make it clear when an app copies information put into the clipboard by another app (“Notes pasted from Messages”)
Camera and microphone:
An indicator will now be displayed in the status bar if an app is using either of these
In the control center, you will be able to see which app is using or has recently used camera or microphone
If you turn on camera recording immediately on launch, users may be surprised if they see the indicator immediately before they access any camera feature
Make sure that users understand why you are accessing camera, microphone or pasteboard
And again, remember that SDKs are a part of your app too and they may unexpectedly access these resources
Local network:
Apps can currently freely access a lot of information about the local network
This information can be used to build a profile about the user, learn their location or locate other people nearby
In iOS 14, when an app wants to access the local network, it will trigger a prompt to let the user grant or refuse access
Declare the Bonjour services you connect to in Info.plist
Provide a usage string and make sure that the user understands why they are seeing the popup
MAC addresses:
They are used to let devices identify other devices on the local network
However, they can be used to track devices and people
iOS 8 ⭢ MAC address randomization
- randomizes address when scanning for WiFi networks
- however, one fixed address is still used when you’re connected to a network
iOS 14: Private Wi-Fi Address
- different random addresses are now used when connecting to different networks
- address is changed within one network every 24 hours, or when you leave and re-join the network
- setting can be changed in the WiFi settings
Network Interaction framework
- gets distance and direction information to a nearby peer
- uses the new U1 chip
- e.g. for local multi-player games
- app gets access to this information for the duration of a session, while the app is in the foreground
- include a usage prompt
App Clips
- app clips are cleaned up when not used for a period of time
- new location confirmation API
Safari Extensions:
- you can grant access for an extension to a specific website or only for one day
Tracking prevention for apps:
App Store policy will now require apps to ask for user’s permission to track their data across apps and websites owned by other companies
To share user data with other companies, your app must display a special prompt and only track the data if the user agrees
This includes tracking for:
- targeted advertising
- advertising measurement
- sharing with data brokers
You’re tracking data across other companies if you share info about the user that can be identified by some kind of user ID, device ID, fingerprint, profile or IDFA
Asking for this permission is required to access the IDFA (IDFA returns 0000… if you don’t have permission)
Tracking permission is *not* required if:
- linking is done only on user’s device and not sent anywhere
- sharing with a data broker is done only for the purposes of fraud prevention or security (and only for your purposes, not the data broker’s)
Use the new AppTrackingTransparency
framework to show the prompt
Requires NSUserTrackingUsageDescription
usage key
User can choose to not be asked by any app – there’s a switch in the Settings named “Allow Apps to Request to Track” (replacement for existing “Limit Ad Tracking”)
Remember that users can change the setting at any moment:
- call the
AppTrackingTransparency
every time your app is relaunched - don’t store or cache the IDFA
- think about what changes you should make to stop tracking the user if they switch if off later
Advertising attribution
Tracking often only happens because someone is trying to answer an advertising-related question, like which advertising campaign is the most effective
SKAdNetwork
– a new privacy-friendly system that lets you measure conversion without tracking specific users
Uses aggegation and on-device intelligence
Doesn’t require tracking permission
Lets the ad network learn which campaigns in which apps lead to downloads, but not who exactly is downloading each app