New Privacy Features: iOS 14.0 through 14.3

December 18th, 2020 by Oleg Afonin
Category: «General»

Apple has long provided its users the tools to control how apps and Web sites use their personal data. The release of iOS 14 brought a number of new privacy features, while iOS 14.3 adds an important extra. At the same time, one of the most interesting privacy features is facing tough opposition from a group of digital advertising associations, making Apple postpone its implementation.

Approximate Location

This feature enables users to share only their approximate location rather than their exact location with those apps that don’t require precise location data. According to Apple, this feature is targeted to apps such as like local news or weather; however, it is more likely to restrict apps that are using embedded tracking SDKs to collect information about the users.

How approximate is the approximate location? Apple had told that the location data is provided within 10 square miles, which falls into a circle with a radius of about 3 kilometers.

Enabling Approximate Location

Users can change their opinion about sharing location data at any time, retroactively enabling or disabling approximate location for individual apps through the Settings app. To do so, open the Settings app and Privacy – Location Services. Make sure that Location Services are turned on, then scroll down the list of apps. Tap on the app you want to configure, then check out the Precise Location switch. If you want to limit the app to only access your approximate location, make sure that switch is in the Off position.

Make sure to choose apps that can access location data wisely. Google Maps require precise location, as well as any navigation app. Local news, weather, and social apps can work perfectly with an approximate location only. Many casual games, calculators, photo editing apps and so on don’t have a valid cause for requesting the location permission at all, and should be denied such requests if prompted.

Controlled Access to Media Files

iOS 14 users can now control which media files are accessible to specific apps. This new privacy feature enables users to limit the number of photos the app has access to, instead of the binary switch allowing or disallowing access to the entire media library.

Apps that may need access to the entire media library may include cloud synchronization apps such as Dropbox, Google Photos or OneDrive. Many social networks and a random AI-powered emoji editor might be restricted to the one photo you want to upload or turn into emoji.

Interestingly, while Apple restricts local access to photos on the device, the company scans photos uploaded to iCloud for abusive images. “Apple chief privacy officer Jane Horvath, speaking at the Consumer Electronics Show in Las Vegas this week, said that this is the way that it’s helping to fight child exploitation, as opposed to breaking encryption.” [Naked Security]

Other companies do it as well. Microsoft, Google, Verizon, Twitter, Facebook and Yahoo scan their users’ uploads for illegal materials. Facebook’s November 2020 transparency report indicates that “the volume of content restrictions based on local law increased globally 40%”, which may indicate subsequent growth of such content scanning practices in near future.

The Clipboard Fix

Since the release of iOS 14, users have been wondering about the new pop-up notification appearing on top of the display about apps accessing the iOS clipboard. This new prompt warns the user that the app had accessed the clipboard. The warnings are the result of the recent discovery made by Talal Haj Bakry and Tommy Mysk and described in Precise Location Information Leaking Through System Pasteboard. The researchers claim that some 53 App Store apps, including the controversial TikTok app, are constantly monitoring the content of the system clipboard for no apparent reason.

The scope of the problem is increased by the fact that nearby devices sharing the same Apple ID, including macOS computers, may be exchanging data through Universal Clipboard.

The clipboard may contain a lot of different types of data such as text, URLs, pictures (complete with EXIF metadata and location tags, as pinpointed in the abovementioned research), two-factor authentication codes, and other information that the user would not be willingly sharing with dubious apps.

Apple publicly denied the problem, claiming that this behavior is expected. However, in iOS 14, the company had introduced a new API allowing developers to check the type of data stored in the clipboard without accessing the data itself. If developers use this new API, the warning will not show up.

In our view, this implementation is a good tradeoff between convenience and security. On the one hand, the company took action. On the other, the company made it difficult for the users to ignore the problem: the prompts are just annoying enough to make the user pay attention and take an action.

Camera and Mic Activity Indicators

The new feature enables users to see when the phone’s camera or microphone are in use. A recording indicator appears at the top of the screen when the camera or microphone are used. Users can review applications that used the camera and mic in the Control Center.

A green dot indicates that the camera is activated; an amber dot shows that the microphone is in use. About the orange and green indicators in your iPhone status bar – Apple Support:

There is one important exception to this rule. When Siri is configured to work in background, waiting for the activation word, the orange dot does not appear even when the microphone is. However, the orange dot will be lit if another app will start using the mic. This is expected behavior as constantly displaying the orange dot while Siri is listening for an activation word would defy the purpose of the indicator.

The trend to prominently show the status of the camera and microphone is nothing new. All recent Macbooks have a feature that disconnects the microphone when the lid is closed (Apple’s 2018 MacBooks come a chip that protects against eavesdropping). Many smart devices such as Google Nest Hub Max or the new Facebook Portal feature physical disconnection switches as opposed to software buttons allowing to disable the possibility for eavesdropping. Ideally, we’d love to see this feature implemented as a dedicated LED indicator.

Upgrade to Sign in with Apple

“Sign in with Apple” is yet another take in the crowded space of single sign-on services. Alternatives include Google, Facebook and Microsoft accounts as well as countless wannabees from all over the world. Apple’s implementation has both advantages and disadvantages that are outside the scope of this article. The company pushes the increased level of security and confidentiality compared to providing a real email address and possibly reusing the same password over multiple online accounts.

Access to Local Networks

Some apps require local network access the first time you launch them. This access may be required to locate and identify Bluetooth devices or scan the local network for available shares. In many cases, however, this access is not required for the app’s main functionality, and is abused for the sole purpose of profiling. iOS 14 adds a prompt saying that the app would like to find and connect to devices on your local network.

Enable Encrypted DNS

A reddit.com user u/kukivu discovered the following new privacy feature in iOS 14, which was announced at 9.50 in the following video: Enable encrypted DNS – WWDC 2020 – Videos – Apple Developer

According to the user, iOS 14 will detect that some DNS queries are blocked in your network and your Wi-Fi network will be tagged with a Privacy warning (that your network is monitored by a third party).

More about the new warning at IOS 14 Privacy features – If you filter DNS queries, your network may be tagged because of pfSense

Local Contact Autofill

When filling in certain fields such as the name, address and email, iOS 14 users will no longer need to “share” a contact. Instead, users can simply pull the contact name from the local address book, and the system will automatically fill in the rest of the fields. The autocomplete function works locally on the device.

Local Voice Recognition

Voice recognition when dictating using the built-in keyboard now occurs locally on the device. Compared to English-only offline dictation feature found in iOS 13, iOS 14 brings support for a number of additional languages; however, the new functionality requires an iPhone Xs or newer.

Support for APFS Encrypted Volumes

The Files app introduced in iOS 11 can now access external drives protected with APFS encryption. Users will be able to unlock encrypted drives with a password. The new feature is mainly targeted to iPad Pro models equipped with a USB Type-C port, but the functionality is available through the entire range of iOS devices.

Safari: Privacy Report

Safari users can now check how Web sites track their behavior. One can view information both for an individual website and for each specific tracker. This kind of analysis was previously available on certain platforms in third-party ad blockers.

We highly welcome this feature as it allows users to see the extent to which they are being tracked.

Safari: Unsafe Password Detection

Similar to competition, Safari offers users the ability to store authentication credentials. While using a strong and unique password for every online account is a well-known and highly recommended practice, few users follow it to the letter. Studies show that some 67% of consumers reuse passwords across multiple accounts, with little incentive of changing unsafe passwords.

The new feature in iOS 14 will periodically check stored passwords for unsafe entries. Unsafe entries are defined as duplicate (or even similar) passwords; passwords that are too simple and easy to guess; and leaked passwords. The check for leaked passwords is compared on the hash level (the real password is never leaving the device).

The new feature is on by default. You will receive periodic notifications if any of your passwords are found unsafe. You can check the status of the new feature by opening the Settings app and tapping Passwords – Security Recommendations and checking out for duplicate passwords or passwords that are too easy to guess. The separate Detect Compromised Passwords toggle enables checks of your password hashes against a database that contains hashes of leaked passwords.

iOS 14.3: App Store Privacy Labels

With the release of iOS 14.3 on December 14, 2020, Apple has finally introduced the App Store privacy labelling feature that was announced early with the original release of iOS 14 but was postponed to a later date. The new feature required app developers to submit information about what data an app collects and how that data is being used in its App Store listing.

Announced at Worldwide Developers Conference 2020 back in June, the App Store privacy labeling feature enables users to see what types of data will be collected by the app and how the developers are going to treat that data. Whether it’s location data, access to contacts or access to the device’s unique identifier, developers must disclose that information in the App Store listing.

App Tracking Privacy Controls

The feature would require publishers to display a prominent prompt asking the users if they agree to be subjected to tracking. Technically speaking, this prompt would authorize the release of the device’s unique advertising identifier. The use of a unique identifier enables the developers of advertising SDKs such as Facebook or Google to track the user across various apps and Web pages.

Jason Atin from Inc.com in Why Facebook Is Very Worried About Apple’s iOS 14 believes that Facebooks fears are not just about the potential short-term loss of revenue. The advertiser’s main fear is that users, if given a chance, will block the ability for Facebook to track their activity.

After facing tough opposition from advertisers, Apple decided to Delay iOS Change Roiling Mobile Ad Market. According to The Information, “Apple plans to delay the enforcement of a controversial change to its next mobile operating system that would upend how ads are targeted on iPhones and iPads, according to people familiar with the matter”. In How We’re Preparing Businesses for the Impact of iOS 14, Facebook wrote:

We expect these changes will disproportionately affect Audience Network given its heavy dependence on app advertising. Like all ad networks on iOS 14, advertiser ability to accurately target and measure their campaigns on Audience Network will be impacted, and as a result publishers should expect their ability to effectively monetize on Audience Network to decrease. Ultimately, despite our best efforts, Apple’s updates may render Audience Network so ineffective on iOS 14 that it may not make sense to offer it on iOS 14.

EU advertisers joined Facebook in criticizing new app tracking privacy controls in iOS 14. “According to the report, the group of European marketing firms said the pop-up warning and the limited ability to customize it still carries “a high risk of user refusal””, says Tim Hardwick [MacRumors].

The backlash made Apple postpone app tracking privacy controls. “Apple has told developers that it plans to delay enforcement of a controversial change in iOS 14 that would upend how ads are targeted on its devices”, twitted Alex Heath, The Information reporter. At this time, the new feature is expected to appear in some form in the beginning of 2021.

Even before the new controls are implemented, Mozilla already praises Apple anti-tracking privacy features in iOS 14. “Apple’s planned implementation of anti-tracking features is a huge win for consumers, many of whom might not even be aware that they can be tracked across apps on their phone,” Mozilla wrote of the feature according to Apple Insider. “Now, with the option to opt-out of tracking at the point-of-use, consumers won’t have to sift through their phone’s settings to protect their privacy.” Mozilla, in its campaign, said that consumers and companies need to ensure that Apple implements the feature and doesn’t “kick the can down the road.” [Apple Insider]

Conclusion

The new version of iOS introduced a number of privacy controls. Some of these controls are particularly useful, while some are postponed to a later date. Early next year we’ll see if Apple implements app tracking privacy controls as it originally intended.