Apple starts enforcing iOS 14 privacy policy by rejecting app updates; Singular not impacted

iOS 14.5 will probably drop very soon now as Apple has begun actual enforcement of iOS 14 privacy policies. The big clue: rejected updates for apps using measurement SDKs with fingerprinting.

The good news: Singular customers are not impacted.

(And no: this is not an April Fool’s joke.)

What’s the app approval problem?

Last night, mobile marketers started reporting that an unusual number of apps were being rejected. The cause: probabilistic attribution technology in embedded measurement SDKs. In other words, fingerprinting. In the rejection notices, Apple is saying that apps are collecting too much information which could be used to identify individuals and devices, violating the spirit of iOS 14’s App Tracking Transparency framework.

“Your app uses algorithmically converted device and usage data to create a unique identifier in order to track the user,” says one email we’ve seen. “The device information collected by your app may include some of the following: NSLocaleAlternateQuotationBeginDelimiterKey, NSTimeZone, NSLocaleGroupingSeparator, NSLocaleDecimalSeparator …”

The guideline in question is 5.1.2 on privacy and data sharing:

Image Source: Apple 

This should not be a surprise, and it should not be shocking. At Singular we’ve been warning about this for months.

What’s causing this, and who is impacted?

Right now what we know is that Adjust’s SDK is impacted. Other MMPs may be impacted as well, but we have no evidence of that.

We have not had a single app rejection for Singular customers, and there’s a good reason why: we’ve been very clear about fingerprinting not working as an IDFA substitute in iOS 14 without user permission from the very beginning. Using fingerprinting, we’ve said, is a good way to get your app kicked off the App Store.

Or, as it turns out, barred from being updated.

Per a number of developers, Apple has begun rejecting app updates that include the Adjust SDK related to its collection of data used for device fingerprinting.

— Eric Seufert (@eric_seufert) April 1, 2021

We can see the causes for the App Store updates being rejected, because Adjust’s SDK is open source on GitHub. And, as it turns out, their SDK just had a massive update in the past day: 36 changed files with 44 additions and 622 deletions.

Those deletions are full of fingerprinting technology:

• NSString *persistedUuid = [ADJKeychain valueForKeychainKey:@”adjust_uuid” service:@”deviceInfo”];
• (NSString *)adjDeviceId:(ADJDeviceInfo *)deviceInfo;
• NSString *binaryHardwareName = [ADJUtil stringToBinaryString:hardwareName];
• NSUInteger chargingStatus = [ADJSystemProfile chargingStatus];
• NSUInteger batteryLevel = [ADJSystemProfile batteryLevel];
• NSUInteger totalSpace = [ADJSystemProfile totalDiskSpace];
• NSUInteger lastBootTime = [ADJSystemProfile lastBootTime];

Essentially, measurement partners who are collecting too much data — from hardware details to software versions to charging status and battery level to uptime — are problematic. All of that data allows you to form a very detailed representation of a very specific device and could be used to attribute installs and conversions and potentially track that device — and therefore that user — around the mobile ecosystem.

Right now, apps that are using SDKs that collect too much data are being rejected.

It’s important to note, however, that Apple is being restrained in iOS 14 privacy enforcement. They’re not kicking apps off the App Store; they are denying app updates. That’s disruptive to app publishers’ business, sure, but it’s a relatively minor disruption with a clear path to resolution. Apple could have been much more hard core here in ways that would have impacted app developers much more severely.

What about Singular?

At Singular we’ve been incredibly careful and conservative around what data we collect and how we ensure that stays compliant with Apple policies. In fact, sometimes we’ve wondered if we’ve gone too far … especially as we saw some MMPs apparently adding fingerprinting capabilities in preparation, perhaps, for losing the IDFA.

We are re-auditing our SDK just to be on the very, very, very safe side, and we’re continuing to monitor the situation very closely. As the first MMP to publicly announce support for SKAdNetwork on June 23, 2020, our goal has always been to be 100% aligned with Apple’s policies, and we believe we are. That ensures minimal to no disruption for our clients.

We’ll update this post as the situation evolves.