App Store —

Apple will require app devs to explain exactly why they use certain APIs

Some seemingly innocuous APIs are misused to track users, Apple says.

A blue smartphone with two cameras.
Enlarge / The back of the iPhone 13.
Samuel Axon

Apple has announced an additional hoop developers must jump through to get their apps approved on its App Store. Soon, developers of apps that use certain APIs will have to clarify their reasons for using them when submitting those apps.

Apple is trying to close some fingerprinting loopholes here. The term "fingerprinting" in this context refers to various techniques for learning information about a device or its user and tracking them across multiple unrelated apps or websites.

It's something that Apple has been saying is not allowed in iPhone apps for a while, and the company introduced the controversial App Tracking Transparency initiative in 2021 to give users a choice in whether things like mobile ad networks (for example) could track them in this way.

That said, some more creative and stealthy forms for fingerprinting have been prohibited since then, even if users do opt in to be tracked—and those include misuse of the APIs in question here.

Clever developers can find ways to use the features, information, or tools they offer to track users in exactly the sorts of ways Apple has been trying to stop—even if that wasn't the main purpose of the API. The APIs that developers will have to justify do things like see file timestamps or look at system boot times, among others. In Apple's words, these apps can be "misused to access device signals to try to identify the device or user, also known as device fingerprinting."

Of course, developers can still technically lie and say they're using an API for one thing when they're actually using it for something else. Apple addresses that with the somewhat vague policy that "declared reasons must be consistent with your app’s functionality as presented to users."

It won't be a perfect system, but it's likely it will allow Apple to at least decrease the practice of fingerprinting.

Apple previously stated that this change was coming during WWDC 2023, but the company revealed more details and a specific timeline this week.

The rollout will be slow, giving developers plenty of time to respond—at least those who are in a position to actively maintain their apps. Starting this fall, developers who upload an app or an app update that uses one of these APIs will receive a notice that they will need to specify a reason soon.

In spring of 2024, apps that haven't done this will be rejected. It will be as easy as picking a pre-approved list from a dropdown menu upon app submission for some developers. Still, others may have to do more substantial work—in particular, those who have been taking advantage of this loophole will need to do some development work to change their applications to make them stop doing that if they can't make a case that one of the approved reasons applies. Those who feel the pre-approved reasons fail to include their own legitimate, non-fingerprinting reason for using an API can contact Apple via a form to request a new reason be approved.

Reader Comments (114)

View comments on forum

Loading comments...

Channel Ars Technica