New API Rules Unveiled
In a bid to enhance user privacy, Apple has unveiled a significant modification to its App Store API regulations. From fall 2023 onwards, developers will be mandated to justify their utilization of certain APIs capable of gathering user data. This move is a part of Apple’s continuous efforts to deter the exploitation of APIs for user fingerprinting.
Decoding User Fingerprinting
User fingerprinting, alternatively known as device fingerprinting, is a method that amasses information about a user’s device to generate a unique identifier or “fingerprint”. This fingerprint consists of a set of features and attributes that can be employed to identify and track individual users across various websites and online activities.
Apple’s Position on User Fingerprinting
Apple has clarified that the exploitation of APIs for user fingerprinting infringes their Developer Program License Agreement. To counteract this, Apple declared at WWDC23 that developers will be obligated to state their reasons for employing these APIs in their app’s privacy manifest.
Ensuring Compliance with API Usage
The newly introduced measure is intended to ensure that apps strictly comply with the designated purpose of utilizing ‘required reason APIs.’ Developers are required to select one or more approved reasons that accurately reflect their app’s API usage. The app is then confined to using the API exclusively for the chosen reasons.
Modifications in App Store Submissions
Developers will receive an email notification urging them to provide an approved reason for using such APIs when submitting new apps or app updates to App Store Connect. From spring 2024 onwards, an approved reason must be incorporated in the app’s privacy manifest for new apps or app updates, ensuring it aligns with the app’s API usage.
Apple’s Appeal to Developers
Apple invites developers to communicate if they have a use case for an API with required reasons that isn’t already encompassed by an approved reason and if the use case directly benefits the users of the app.
List of APIs Requiring Usage Reasons
Apple has made a list of APIs that require reasons for use available on its developer resources website.
Additional Security Enhancements
In addition to the new API rules, Apple has introduced features to augment security and privacy for iPhone users with the iOS 16 release. These include Lockdown Mode, which shields high-risk individuals from sophisticated cyber attacks, and Safety Check, a privacy tool offering an emergency reset option for account security and privacy permissions.
“It’s extremely positive to see a major corporation such as Apple, ensure that they have policies in place when it comes to the use of biometric data. Having standards and deliverables means that biometric data can be collected and used both responsibly and ethically.
All organisations should follow Apple in establishing policies and standards when it comes to the use of biometric data. There needs to be clear lines of responsibility and chains of accountability for all parties, as well as a high degree of transparency for the processes involved. By being clear and following ethical standards, customers and the wider public are more likely to trust the use of biometric technology.
For organisations now looking to use biometric APIs on Apple’s App Store, we strongly recommend looking into the advice, guidance and frameworks released by NIST and the NCSC. This ensures that the businesses are following the best practical advice when it comes to use of biometric data and implementing strong data privacy and ethical standards.”