MacKuba

Kuba Suder's blog on Mac & iOS development

Build trust through better privacy

Categories: Privacy, WWDC 20 0 comments Watch the video

Main rules of privacy at Apple:

1. On-device processing - process data locally without sending it to the cloud

Once the data is sent off device, the user loses control over who can access it and what they can do with it

It also requires additional work to secure the user data in transit and when stored in the cloud

For ML, Apple is adding more and more ways to train models on device so that you don’t need to send user data somewhere in order to update the models

Private federated learning – sending only anonymized updates to the model to the server

Used previously for: Quick Type, Hey Siri, now also photo sharing, dictation, HomeKit object detection

2. Data minimization - build user’s trust by requesting and using only the data that you actually need

New APIs introduced this year to let you access less data to achieve what you need:

For contacts, instead of requesting access to the full contacts database, you can set an appropriate textContentType on a text field (.emailAddress, .telephoneNumber) and then rely on Quick Type autocompleting contact info when the user is typing

3. Security protections of the data

This year Apple platforms are adding support for:

  • DNS over TLS
  • DNS over HTTPS

Server name (SNI) encryption in TLS handshake  ⭢  in progress

4. Transparency and control

Currently, privacy policy is required for all apps

Starting in fall 2020, when you submit an app to the App Store you will need to fill a form stating:

  • what kind of data you collect
  • how it is used
  • if it’s linked to the user
  • if it’s used to track users

This will be displayed on the app’s App Store page on all platforms

Remember, SDKs are a part of your app too 😅

"In the meantime, reach out to your SDKs' developers to make sure you understand how they may collect and use data"

On the web – ITP protects Safari users from trackers tracking their data, and now it will be able to present a “Privacy Report” showing what trackers specifically it has caught on each page

Clipboard usage:

iOS 14 will now make it clear when an app copies information put into the clipboard by another app (“Notes pasted from Messages”)

Camera and microphone:

An indicator will now be displayed in the status bar if an app is using either of these

In the control center, you will be able to see which app is using or has recently used camera or microphone

If you turn on camera recording immediately on launch, users may be surprised if they see the indicator immediately before they access any camera feature

Make sure that users understand why you are accessing camera, microphone or pasteboard

And again, remember that SDKs are a part of your app too and they may unexpectedly access these resources

Local network:

Apps can currently freely access a lot of information about the local network

This information can be used to build a profile about the user, learn their location or locate other people nearby

In iOS 14, when an app wants to access the local network, it will trigger a prompt to let the user grant or refuse access

Declare the Bonjour services you connect to in Info.plist

Provide a usage string and make sure that the user understands why they are seeing the popup

MAC addresses:

They are used to let devices identify other devices on the local network

However, they can be used to track devices and people

iOS 8  ⭢  MAC address randomization

  • randomizes address when scanning for WiFi networks
  • however, one fixed address is still used when you’re connected to a network

iOS 14: Private Wi-Fi Address

  • different random addresses are now used when connecting to different networks
  • address is changed within one network every 24 hours, or when you leave and re-join the network
  • setting can be changed in the WiFi settings

Network Interaction framework

  • gets distance and direction information to a nearby peer
  • uses the new U1 chip
  • e.g. for local multi-player games
  • app gets access to this information for the duration of a session, while the app is in the foreground
  • include a usage prompt

App Clips

  • app clips are cleaned up when not used for a period of time
  • new location confirmation API

Safari Extensions:

  • you can grant access for an extension to a specific website or only for one day

Tracking prevention for apps:

App Store policy will now require apps to ask for user’s permission to track their data across apps and websites owned by other companies

To share user data with other companies, your app must display a special prompt and only track the data if the user agrees

This includes tracking for:

  • targeted advertising
  • advertising measurement
  • sharing with data brokers

You’re tracking data across other companies if you share info about the user that can be identified by some kind of user ID, device ID, fingerprint, profile or IDFA

Asking for this permission is required to access the IDFA (IDFA returns 0000… if you don’t have permission)

Tracking permission is *not* required if:

  • linking is done only on user’s device and not sent anywhere
  • sharing with a data broker is done only for the purposes of fraud prevention or security (and only for your purposes, not the data broker’s)

Use the new AppTrackingTransparency framework to show the prompt

Requires NSUserTrackingUsageDescription usage key

User can choose to not be asked by any app – there’s a switch in the Settings named “Allow Apps to Request to Track” (replacement for existing “Limit Ad Tracking”)

Remember that users can change the setting at any moment:

  • call the AppTrackingTransparency every time your app is relaunched
  • don’t store or cache the IDFA
  • think about what changes you should make to stop tracking the user if they switch if off later

Advertising attribution

Tracking often only happens because someone is trying to answer an advertising-related question, like which advertising campaign is the most effective

SKAdNetwork – a new privacy-friendly system that lets you measure conversion without tracking specific users

Uses aggegation and on-device intelligence

Doesn’t require tracking permission

Lets the ad network learn which campaigns in which apps lead to downloads, but not who exactly is downloading each app