New API Rules Unveiled
In a bid to enhance user privacy, Apple has unveiled a significant modification to its App Store API regulations. From fall 2023 onwards, developers will be mandated to justify their utilization of certain APIs capable of gathering user data. This move is a part of Apple’s continuous efforts to deter the exploitation of APIs for user fingerprinting.
Decoding User Fingerprinting
User fingerprinting, alternatively known as device fingerprinting, is a method that amasses information about a user’s device to generate a unique identifier or “fingerprint”. This fingerprint consists of a set of features and attributes that can be employed to identify and track individual users across various websites and online activities.
Apple’s Position on User Fingerprinting
Apple has clarified that the exploitation of APIs for user fingerprinting infringes their Developer Program License Agreement. To counteract this, Apple declared at WWDC23 that developers will be obligated to state their reasons for employing these APIs in their app’s privacy manifest.
Ensuring Compliance with API Usage
The newly introduced measure is intended to ensure that apps strictly comply with the designated purpose of utilizing ‘required reason APIs.’ Developers are required to select one or more approved reasons that accurately reflect their app’s API usage. The app is then confined to using the API exclusively for the chosen reasons.
Modifications in App Store Submissions
Developers will receive an email notification urging them to provide an approved reason for using such APIs when submitting new apps or app updates to App Store Connect. From spring 2024 onwards, an approved reason must be incorporated in the app’s privacy manifest for new apps or app updates, ensuring it aligns with the app’s API usage.
Apple’s Appeal to Developers
Apple invites developers to communicate if they have a use case for an API with required reasons that isn’t already encompassed by an approved reason and if the use case directly benefits the users of the app.
List of APIs Requiring Usage Reasons
Apple has made a list of APIs that require reasons for use available on its developer resources website.
Additional Security Enhancements
In addition to the new API rules, Apple has introduced features to augment security and privacy for iPhone users with the iOS 16 release. These include Lockdown Mode, which shields high-risk individuals from sophisticated cyber attacks, and Safety Check, a privacy tool offering an emergency reset option for account security and privacy permissions.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.