Everyone knows your location: tracking myself down through in-app ads

>One big privacy issue is that there is no sane way to protect your contact details from being sold, regardless of what you do.

>As soon as your cousin clicks "Yes, I would like to share the entire contents of my contacts with you" when they launch TikTok your name, phone number, email etc are all in the crowd.

Fortunately this is changing with iOS 18 with "limited contacts" sharing.

https://mobiledevmemo.com/wp-content/uploads/2024/09/image.p...

The interface also seems specifically designed to push people to allow only a subset of contacts, rather than blindly clicking "allow all".

The far bigger issue is the contact info you share with online retailers. Scraping contact info through apps is very visible, drawing flak from the media and consumers. Most of the time all you get is a name (could be a nickname), and maybe some combination of phone/email/address, depending on how diligent the person in filling out all the fields. On the other hand placing any sort of order online requires you to provide your full name, address, phone number, and email address. You can also be reasonably certain that they're all accurate, because they're plausibly required for delivery/billing purposes. Such data can also be surreptitiously fed to data brokers behind the scenes, without an obvious "tiktok would like access to your contacts" modal.

People will share their whole list because it’s simpler

I think it's not properly appreciated that Apple fully endorses all of this. For two reasons: (1) the provision of the output of billions of dollars of developer time to their users for no up front cost (made back via ads) is super valuable to their platform; and (2) they uniquely could stop this (at the price of devastating their app store), but choose not to.

In light of that, perhaps reevaluate their ATT efforts as far less about meaningful privacy and far more about stealing $10B a year or so from Facebook.

>I think it's not properly appreciated that Apple fully endorses all of this. [...] they uniquely could stop this (at the price of devastating their app store), but choose not to.

A perfectly privacy respecting app store isn't going to do any good if it doesn't have any apps. Just look at f-droid. Most (all?) of the apps there might be privacy respecting, but good luck getting any of the popular apps (eg. facebook, tiktok, google maps) on there.

>In light of that, perhaps reevaluate their ATT efforts as far less about meaningful privacy and far more about stealing $10B a year or so from Facebook.

What would make you think Apple's pro-privacy changes aren't "about stealing $10B a year or so from Facebook"? At least some people are willing to pay for more privacy, and pro-changes hurts advertisers, so basically any pro-privacy change can be construed as "less about meaningful privacy and far more about stealing".

Or because they were tricked. eg. LinkedIn’s “Connect with your contacts” onboarding step which sounds like it’ll check your contacts against existing LinkedIn users but actually spam invites anyone on your contact list that doesn’t have an account.

> good luck getting any of the popular apps (eg. facebook, tiktok, google maps) on there

That makes sense, considering they’re not privacy respecting.

How about a no/limited internet setting? So many apps spy on you and they don’t need network at all to function.

>Fortunately this is changing with iOS 18 with "limited contacts" sharing.

Its not. Apple still owns your stuff. There is no difference between Apple and other 3p retailers. Apple just wants more of your money.

I would love an iOS setting that blocks all network access for certain apps

>Its not. Apple still owns your stuff. There is no difference between Apple and other 3p retailers.

That could be taken to mean anywhere between "Apple controls the software on your iPhone, therefore they control your contacts" and "Apple gives out your data like the data brokers mentioned in the OP". The former wouldn't be surprising at all, and most people would be happy with, and the latter would be scandalous if proven. What specifically are you arguing for?

Until the app's devs get wise to this, and do not allow the app to function without the network access. It could be as simple as a full screen, non-closable screen that says the app requires network access with a button to the proper setting to correct the issue.

Linkedin is so terribly evil these days.

I also see the shenanigans of adding new 'privacy' settings and setting them open by default. Another typical Microsoft ploy by the way.

F-Droid will never have popular apps because it requires them to be open source. In fact F-Droid does the build for you, generating reproducible builds and avoiding the risk of adding trackers to the binary that aren't actually in the source code. With F-Droid the code you see is what you get.

Yeah like the ChatGPT app that doesn't work without a Google account. I have Google play on my phone, just no account logged in. I do have Google play services like firebase push which many apps legitimately need. But ChatGPT just opens the login screen in the play store and exits itself.

I'm always wondering why these idiots force the creation of an account with their direct competitor. It's the only app I have that does this. But anyway I don't use their app for that reason, only use them a bit through API.

> A perfectly privacy respecting app store isn't going to do any good if it doesn't have any apps.

40 years ago apps were sold on floppy disks. 30 years ago they were sold on CD-ROMs. 20 years ago, DVDs.

Online-only apps are a recent thing. A privacy respecting app store certainly can be a thing. Apps being blocked or banned from stores for choosing to not respect your privacy is a good thing.

Such "go away" screens are in violation of Apple's AppStore rules. You cannot make a permission a condition of using the app, and stop the user from using it if they don't grant that permission. The app should gracefully do as much as it possibly can without the permission.

>Online-only apps are a recent thing. A privacy respecting app store certainly can be a thing.

I'm not sure you're trying say. I specifically acknowledged the existence of f-droid as a "privacy respecting app store" in the quoted comment.

>Apps choosing to not respect your privacy, and being blocked or banned from stores, is a good thing.

"a good thing" doesn't mean much when most people haven't even heard of your app store, and are missing out on all the popular apps that people want. Idealism doesn't mean much when nobody is using it. Apple might not be the paragon of privacy, but they had a greater impact on user privacy than f-droid ever will. To reiterate OP's point: what's the point of having a perfectly private OS and app store, when there's no apps for it, and your normie friends/relatives are going to sell you out anyways by uploading their entire contact list and photos (both with you in it) to google and meta?

This holds for every app and every permission? Because I'm quite sure I recently used an app that closed for not allowing a permission. May be misremembering..

GrapheneOS has that. It asks every time you install a new app whether it should have network permissions.

Grapheneos lets you pick this for apps before they even launch. You can revoke their network access, as well as define storage scopes for apps at a folder level, so if an app needs access to photos, you can define a folder, and that is the only folder it can scan for photos.

I used that when submitting parental leave at work. I didn't want to provide full access to all my photos and files for work, so all they got was a folder with a pic of a birth certificate.

Why do you inherently trust Apple?

Remember, the big celebrity photo leak happened because of a vulnerability within Apple Software.

5.1.1 (iv) Access: Apps must respect the user’s permission settings and not attempt to manipulate, trick, or force people to consent to unnecessary data access. For example, apps that include the ability to post photos to a social network must not also require microphone access before allowing the user to upload photos. Where possible, provide alternative solutions for users who don’t grant consent. For example, if a user declines to share Location, offer the ability to manually enter an address.

https://developer.apple.com/app-store/review/guidelines/

This wording is actually a lot weaker than I remember it back when I wrote iOS apps. The developer also was not allowed to exit the app or close it against the user’s intent, however I can’t find that rule anymore.

iOS and Mac also let you do this, for photos, contacts and files.

Apple is also pushing developers toward using native picker components. That way, you don't need to request consent at all, as you only get access to the specific object that the user has picked using a secure system component.

You can't do this, because some users are genuinely offline sometimes.

The "vulnerability" part doesn't seem to be substantiated. From wikipedia:

>The images were initially believed to have been obtained via a breach of Apple's cloud services suite iCloud,[1][2] or a security issue in the iCloud API which allowed them to make unlimited attempts at guessing victims' passwords.[3][4] Apple claimed in a press release that access was gained via spear phishing attacks.[5][6]

Regardless of their security practices, it's a stretch to equate getting hacked with knowingly making available data. Moreover you can opt out of icloud backup, unlike with whatever is happening with apps mentioned in the OP.

Yeah, "unnecessary" is the word that may as well render the whole section moot unless it's actually properly enforced. If I can remember I'll test it today and see how it goes.

I agree with these guidelines (although they could be improved), although I think that some things could be done by the implementation in the system, too.

> For example, if a user declines to share Location, offer the ability to manually enter an address.

This is a reasonable ability, but I think that the operating system should handle it anyways. When it asks for permission for your location, in addition to "allow" and "deny", you can select "manually enter location" and "custom" (the "custom" option would allow the user to specify their own program for handling access to that specific permission (or to simulate error conditions such as no signal); possibly the setting menu can have an option for "show advanced options" before "custom" will be displayed, if you think it would otherwise make it too complicated).

> that include the ability to post photos to a social network must not also require microphone access before allowing the user to upload photos

This is reasonable, that apps should not be allowed to require microphone access for such a thing.

However, sometimes a warning message makes sense but then to allow it anyways even if permission is not granted; e.g. for a video recording program, it might display a message about "Warning: microphone permission is not allowed for this app; if you proceed without enabling the microphone permission, the audio will not be recorded." Something similar would also apply if you denied camera permission but allowed microphone permission; in that case, only audio will be recorded. It might refuse to work if both permissions are denied, though.

Then there wouldn't be any free ones.

Fully denying internet access for an app is actually in iOS and has been there for many years.

But it's only available in China.

https://tinyapps.org/blog/202209100700_ios_disable_wifi_per_...

Android can do this

They were evil before.

Previously they’d take your LinkedIn password and try using that to log in to your email account to grab your contacts.

On android you can choose whether to grant access to contacts. And most apps work fine without.

GrapheneOS, which I use, also has contact scopes, so troublesome apps that refuse to work without access will think they have full access. You can allow them to see no contacts or a small subset.

There's also multiple user profiles, a "private space", and a work profile (shelter) that you can install an app into, which can be completely isolated from your main profile, so no contacts.

It surprises me how far behind iOS is with this stuff. Recently I wanted to install a second instance of an app on my wife's iPhone so she could use multiple logins simultaneously, there didn't really seem to be a way to do it.

Interesting thing is that security practices mention that you should always grant the minimal set of permissions.

So in case Apple allowed for “share all” it means that they did it by design and are changing it now only because of backlash.

This sounds absolutely insane.

This is a big thing, is there any evidence? Not implausible unfortunately…

Useless without limiting the kind of data I want to share per contact. iOS asks for relationships for example. You can set up your spouse, your kids, have your address or any address associated with contacts. If I want to restrict app access to contacts, I also want to restrict app access to specific contact details.

Try signing in in any Google app without allowing data sharing with Safari. It's not possible. They don't let you.

It's kind of weird that Apple introduced this big fat tracking consent popup, but they don't really do anything to actually prevent cross-app tracking...

> That way, you don't need to request consent at all, as you only get access to the specific object that the user has picked using a secure system component.

This is an interesting contrast with the earlier philosophy of phone OSes that the file system is confusing to users and they should never be allowed to see it.

The point is that it doesn't matter whether YOU grant access to your contacts. As long as anyone who has you in THEIR contacts decides to just press "share contacts" with any app, you are doxxed and SkyNet is able to identify you for all practical purposes.

They still (mostly) aren't.

From an user perspective, photos aren't files. Music isn't files. Contacts aren't files. Apps aren't files. App data isn't files.

The only things that "walk like a file and quack like a file" are documents, downloads, contents of external storage, network drives and cloud drives, and some Airdrop transfers.

Yes, it's technically possible to use the files app to store photos, music etc, but if you do that, "you're holding it wrong."

Doesn’t help against your cousin who shares your data.

This is how a load of emails were sent out from my Hotmail account to anyone I had ever contacted (including random websites) asking if I want to connect with them to Facebook. The onboarding seemed to imply it would just check to see if any of my contacts were already using facebook.

Wasn't this also how some services would connect e.g. your bank accounts? They'd ask for your credentials and log into your bank to scrape its contents.

And I kinda get it, some services external to your bank can help you manage your finances etc. But it's why banks should offer APIs where the user can set limited and timed access to these services. In Europe this is PSD2 (Revised Payment Services Directive).

I think the key point is that they would take your Linkedin password and try to use that on your email without asking you, in case you reused passwords.

A big problem with GrapheneOS is the fact it only officially supports Google phones. Google is apparently incapable of selling those things globally, limiting availability.

There's also the fact hardware remote attestation is creeping into the Android ecosystem. There's absolutely no way to daily drive something like GrapheneOS if essential services such as banks and messaging services start discriminating against you on the basis of it. Aw shucks looks like your phone has been tampered with so we're just gonna deny you access to your account, try again later on a corporation owned phone.

GrapheneOS is amazing from a security and privacy perspective but it doesn't matter. The corporations will not tolerate it because it works against their interests. They will ban you from their services for using it. Unlike Google and Apple, they have no leverage with which to force the corporations to accept terms unfavorable to them.

God damn this feature. About ten years ago I inadvertently did something in LinkedIn and ended up spamming everyone I knew with LinkedIn invites. It annoyed a lot of people.

Ok I didn't know that. Very good point. Wow.

Same with DNA testing really.

A relative did a genealogy test through ancestry.com and suddenly I'm doxed for all eternity.

Ah yes, that is a problem.

And why do you assume bad faith without any proof of foul play?

> [Apple] had a greater impact on user privacy than f-droid ever will.

Sorry, that's nonsensical, unless you mean a negative impact. Apple's privacy is pretend only, as this article makes quite clear.

It doesn't do that for me. There's a Google button, and then big sign up/log in buttons, and a non-Google email works fine.

You have two different points in your comment. Firstly, iOS has not been behind on having apps work if they don’t get access to a specific sensor or data. It’s on Android that apps refuse to work if they’re not given contacts access or location access and so on. Comparing the same apps on iOS and Android, I have found that Apple’s requirements for apps not to break when a permission is not granted is well respected and implemented on iOS apps. The same apps on Android apps just refuse to work until all the permissions they ask for are granted. YMMV.

I do agree that iOS is behind by not providing profiles and multiple isolated installations of apps, and it would be great if it did.

The linked wikipedia article below says that they asked you for your email password specifically -- is there any evidence that they would try to use your linkedin password itself?

Is a bank app on your phone essential? I've never had a bank app installed on my phone.

Yes. I would not be able to use my AmEx as effectively if I could not receive notifications (usually second factor for charges) in the app.

It would be useful to pick which details we share, not just contacts.

E.g.: I might be okay with sharing a friend's phone number or email, but I don't want to share their photo, dob, home address, etc.