> It relies too heavily on trusting the very tracking companies that the policies are supposed to be protecting users against: Apple’s definition allows apps to secretly send any and all of your data to third parties, and as long as those third parties publicly claim they won’t link your data to other sites or sell it, it’s not considered “tracking” by Apple. It is a 100% trust-based honor system, which means that the only way for these companies to get caught “tracking” is to literally pen a public confession of guilt or wrongdoing — something that profit-driven companies are not exactly known for doing.<p>>...<p>>Not only do these trackers allow their clients to break Apple’s rules, but they specifically built features to help their clients easily circumvent Apple’s ATT privacy rules.<p>>First, we created a dummy app that used the Kochava tracking service. With just a few clicks, we configured Kochava to violate Apple’s “ATT Opt-Out” by asking it to tracking users across apps (using “IP address” and “User Agent”) for the purpose of ad targeting (“Paid Media”). Basically, Kochava made it really convenient for any app developer to violate even Apple’s narrow definition of tracking.<p>>We later performed the same test with the AppsFlyer tracking service (which, as previously mentioned, hides the data it sends off your device), and it was even easier to enable “privacy cheat mode” and track users against their consent — all it took was clicking a single button.<p>Wow.
I use Lockdown for iOS, and Blokada or TrackerControl on Android (they're all very similar, on-device vpn + block list).<p>Even with tracking disabled, apps will still contact third party ad/tracking servers. Just this morning on iOS:<p>- app-measurement.com<p>- play.googleapis.com<p>- googleads.g.doubleclick.net<p>- mobile-collector.newrelic.com<p>- inapps.appsflyer.com<p>- api.mixpanel.com<p>- graph.facebook.com (this is a major offender, even if you don't have Facebook apps installed, other apps love to feed FB data)
It's weird that former Apple engineers don't explain how IDFA which is blocked by answering "ask app not to track" works. It is the only thing that's prevented by Apple, and the rest lies on the developer. Try to circumvent it, and risk ban (of course some apps are still trying, driven by their risk/reward calculations but bans aren't unheard of).<p>Another thing, the "ask app not to track" doesn't mean that data won't be collected. It means that this particular user must not be identifiable across different apps / web sites, even if personally identifiable data is being sent. Authors completely ignore this point.
I've tried using Lockdown and I also tried NextDns on things as well. Lockdown was good, but I like nextdns because I can run it on anything. I don't think I can do the same on Lockdown? Lockdown and Next aren't exactly the same thing, but they do the job quite nicely from what I can see. Checking out the logs on both is always interesting.<p><a href="https://apps.apple.com/us/app/lockdown-privacy/id1469783711" rel="nofollow">https://apps.apple.com/us/app/lockdown-privacy/id1469783711</a><p><a href="https://apps.apple.com/us/app/nextdns/id1463342498" rel="nofollow">https://apps.apple.com/us/app/nextdns/id1463342498</a>
Dumb question: Why don't we just use fuzzing instead of privacy? e.g. the tracking APIs are just filled with noise data when you want to not be tracked? It seems the big issue is that companies doing the tracking know the data is there and then use it inappropriately. What about just giving them garbage data instead?
Anyone know how Lockdown is funded? The app is free and open source so how are they able to make money and operate?<p>Someone on HN wrote that they always look at how a company is funded before engaging with them so they know where their incentives are. I thought that's a pretty good idea and am trying to apply the same idea here.<p>I can find the backstory but I don't know how the company is able to operate and continue developing.
I think the core thing here is that in a lawsuit a user can now point to an explicit action that they took, and the apps decision not ignore that decision, despite having agreed to obey that decision as part of the use of that app.<p>The fact that stuff like this isn't caught in the automated portion of review is fairly appalling though.