←back to thread

Everyone knows all the apps on your phone

(peabee.substack.com)
1192 points gniting | 1 comments | 29 Mar 25 21:26 UTC | HN request time: 0.813s | source
Show context
andsoitis ◴[30 Mar 25 00:11 UTC] No.43519910[source]
> everyone knows all the alls on your phone

On Android phones. iPhone doesn’t have this privacy deficiency.

replies(10): >>43519937 #>>43519943 #>>43520950 #>>43521020 #>>43521389 #>>43521565 #>>43522434 #>>43522575 #>>43523112 #>>43526348 #
wkat4242 ◴[30 Mar 25 03:14 UTC] No.43520950[source]
On iOS it's kinda worse in some ways. If you enroll into a company MDM they can see all your apps.

On Android if they use the work profile (which is the standard method these days) they can only see the apps inside there.

replies(4): >>43521149 #>>43521150 #>>43521257 #>>43521463 #
mgriepentrog ◴[30 Mar 25 04:56 UTC] No.43521463[source]
Apple introduced account-driven enrollments in 2021[1], which behaves similar to Android's work profile. Managed apps/data are kept in its own APFS volume, and MDM servers don't have access to anything outside of it. They also disallow system-wide commands like wipe device. The only caveat is you need managed Apple IDs[2] to use this enrollment flow, and I doubt many companies have set it up.

Regardless, MDM installed app visibility is limited to those users who opt-in to an organization managing their personal device, and isn't an effective way to broadly gather what apps a given person has installed. What's described in this post would work on any user/device, and there's no way to deny/opt-out of specific permissions.

[1] https://developer.apple.com/videos/play/wwdc2021/10136/ [2] https://support.apple.com/guide/apple-business-manager/use-m...

replies(2): >>43522615 #>>43522734 #
1. wkat4242 ◴[30 Mar 25 09:26 UTC] No.43522734[source]
Yes I know about User Enrolment. The problem is the managed Apple IDs are a complete and total dealbreaker. So I'm not even considering this as an option.

The reason is that Apple demands that the UPN (the account ID) and the email address are the same. For us this is not the case (our UPN is our employee number as an email address, whereas our email address is just our name). And obviously we're not going to change this for ten thousand users because Apple wants to (most of which don't have Apple devices because we're a European company). Also, you have to manually decide what happens to each user that has already created an account with their corporate email address and what to do with the content they purchased on it. This is not feasible for a large corp. We have commented this to our Apple account manager for years and years but they simply don't care. If you work in this realm you probably know that Apple doesn't really care about things that matter for their corporate customers anyway. The consumer is their main client and it shows (unlike with Microsoft where it's the opposite).

So the whole account-driven enrolment (User Enrolment) as well as everything else depending on managed Apple IDs like DEP for Macs is completely out of the window.

The problem in my opinion is that I as an admin can simply query for example all the employees that have something like Grindr installed. Considering the current political climate in the US (or worse, the middle east where this can lead to a death sentence in some cases) it's obvious why this is super bad. And really, why should we be able to do this at all?