“What happens on your iPhone stays on your iPhone.” The message was printed 14 stories high, in simple black and white, on the side of a building at this year’s Consumer Electronics Show in Las Vegas. The proclamation was quintessential Apple: a bold spectacle, a well-timed verbal play, and a calculated jab at Google, Amazon, and every other competitor about to show off its latest products on the world’s biggest stage. It was also misleading. Apple, after all, practically laid the groundwork for the surveillance economy with its powerful App Store.
Through a certain lens, the iPhone is one of the most secure devices in the world. Its contents are encrypted by default. Any data that Apple collects through services such as Maps is assigned to random identifiers (rather than being tied to users’ IDs) that are periodically reset. Unlike Google’s Chrome browser, Apple’s Safari doesn’t track users across the web, which means the company could be leaving billions of dollars in revenue on the table by not harvesting users’ data.
But that doesn’t stop the 2 million or so apps in the App Store from spying on iPhone users and selling details of their private lives. It’s not just Facebook and Google that are using their iOS apps to hoover up your personal information for the benefit of marketers or back-alley data brokers. Beneath the App Store lies a flourishing ecosystem of businesses devoted to collecting, analyzing, and profiting from user data.
“Tens of millions of people have data taken from them—and they don’t have the slightest clue,” says Will Strafach, founder of the San Francisco–based cybersecurity firm Guardian. His company released a report last fall that identified 24 popular iOS apps—including the image-hosting service Photobucket and real estate portal Homes.com—that contained code from data-monetization firms, which can collect location information as often as every 15 seconds, even when an app is closed. Guardian has spotted similar code in hundreds of other iOS apps.
An investigation by The New York Times last December uncovered nine seemingly innocuous apps, including Weatherbug and a gas-savings app, GasBuddy, that routinely gave precise user-location information to more than 40 different data-monetization companies. The Wall Street Journal studied 70 iOS apps in February and found several that were delivering deeply private information, including heart rates and fertility data, to Facebook through an analytics tool in the social media company’s software developer kit.
To shed light on these murky practices, Guardian is launching the subscription-based Guardian Firewall app this month. The iOS app encrypts user data through a personal VPN, blocks apps from passing private information to third parties, and alerts users—via push notifications—of any attempts to send their data outside an app. Early testers have taken to Twitter to report their shock at how many apps Guardian Firewall has stopped from passing data elsewhere.
Apple continues to make user privacy a centerpiece. At the company’s annual WWDC developers conference, being held this week in San Jose, California, senior vice president of software engineering Craig Federighi took to the stage to declare that “privacy is a fundamental human right.” What he didn’t mention, however, was Apple’s central role in greasing along mobile-data sharing since the launch of the App Store in 2008.
From the start, Apple prioritized an app ecosystem that was easy to use, consolidating any software you might have on your phone into a single venue, the App Store, over which it exerted complete control. To get their software in, developers had to conform to Apple’s squeaky-clean microcosm of a free market.
The company designed a dead-simple interface that, to this day, allows users to sign away contacts, location data, and camera and microphone access with a single tap as they install an app. Apple also created efficient APIs—the software connecting its hardware to outside apps—to provide third-party developers access to sensitive user information. Meanwhile, iPhone apps are not required to encrypt their transmissions. “Apple was well known for usability before it was known for privacy,” says Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society.
Apple’s most consequential decision, though, may have been to emphasize apps based on popularity. With thousands of apps suddenly coming online, the company wanted to give users an easy way to navigate the App Store. It created lists of the most popular paid and free apps, by category, setting them up to become viral hits. App pricing soon became a race to the bottom. Software, which had traditionally sold for $20, $30, or $50, cost one-tenth of that in the App Store, or it was just free. The cheaper the app was, the greater chance it would become a chart-topping impulse download.
This economic model, however, doesn’t support the kinds of teams needed to create good—or even decent—software. “Even if an app is 99¢, that price is not going to be enough,” says Cade Diehm, a designer who helped develop the secure communications app Signal and is now the lead designer at the digital-rights nonprofit Tactical Tech. So developers compensate by selling user data, Diehm says.
Today, it’s routine for developers to insert a bit of code into their software that sends user information directly to outside companies. These data-marketing firms are generally tight-lipped about what they pay, but one company, Huq, advertises that it shells out as much as $1.10 for the location data of every 100 monthly active users, which means an app with a million users could make $11,000 a month from Huq. That’s not much, but developers rarely stop at just one data-mining customer. Guardian has seen apps incorporate as many as eight separate location-data trackers, and has identified at least 100 data-monetization firms active on iOS.
In other cases, the data-marketing company simply owns the app. Weatherbug, for example, is owned by ad platform Groundtruth. And the two biggest advertising companies on the web—Google and Facebook—provide analytics and other various software for more than 600,000 iOS apps, according to research firm Apptopia, which allows them to peek inside a third of all apps in the App Store. For the most part, this all happens with users’ permission. They let apps access their location information, contacts, or microphone for legitimate reasons. But rarely do they have any idea how their data is then passed around.
In the wake of the Cambridge Analytica scandal and the European Union’s General Data Protection Regulation, which took effect last year, Apple has increased its efforts to protect users. In 2016, it helped shield user identities from marketers by making the unique advertiser ID hardwired into the iPhone more complex. A year later, it created tiered app permissions, which allow users to specify that an app can access certain data only when it’s open. (Google has since copied this feature in Android Q.)
To be part of the App Store, iOS developers also have to agree to Apple’s App Review guidelines, which state that apps cannot create shadow profiles of users (piecing bits of behavioral data together to deeply profile them) and that developers are responsible for the data practices of any analytics software in their products. As of 2018, apps are encouraged—but not required—to “clearly and explicitly” tell users what they collect and how they use it.
But Apple operates more as matchmaker—connecting users and apps, enabling them to shake hands with APIs and terms and conditions—than enforcer. It does not audit apps’ data practices, nor does it police the language of developers’ terms and conditions. If it comes to light that an app is in breach of these guidelines (and it’s not a case of malintent), Apple gives the developer time to fix the problem. It does not inform users of the issue, and more often than not, the app can stay in the App Store during the process. Notably, Apple does not punish apps for past privacy violations, so a company such as Facebook, which allowed Cambridge Analytica to create shadow profiles of its users via its iOS app, remains seemingly untouchable. In lieu of commenting for this article, Apple provided Fast Company with the equivalent of its App Review guidelines. It declined to say why Facebook has not been banned for enabling data mining by Cambridge Analytica. (Since this original story was published in print, Apple has launched a microsite explaining more of its App Store policies, and presenting arguments as to why the App Store isn’t a monopoly.)
Apple is beginning to acknowledge the problems on its platform. “We have to admit when the free market is not working,” Tim Cook said in an interview with Axios last November. The Apple CEO has formally called on Congress to pass legislation to protect consumers, which could set higher standards for app data brokers and hold them accountable for privacy violations. But punting these issues to regulators obscures the fact that Apple is already the sole ruler of the App Store.
At WWDC this week, the company announced updates to its location API that would enable users to restrict apps from accessing their location more than once. The company also promised it was closing technical loopholes that allowed some app developers to track your location secretly via Wi-Fi and Bluetooth signals. Finally, Apple offered its own iCloud ID standard as a means to log into apps, as an alternative to using Google or Facebook logins–which puts a guardrail between users and those companies, but gives Apple unprecedented reach across apps. Crucially, Apple will offer users the option to mask their personal email address from many apps–though perhaps that feature would have been more useful five or ten years ago, before these apps had already collected our email addresses.
Notably, nothing that Apple announced at WWDC prevents third parties from continuing to collect and monetize the user data in their apps. Some developers say that any move Apple might make to clamp down on their work—by banning their use of outside analytics software and encouraging app makers to charge more—would cause them to abandon iOS. “Apple doesn’t really have a choice other than to allow apps that are ad supported,” says the data scientist behind a major iOS gaming company, under the condition of anonymity. “Were they to move to a premium-only model, vast numbers of iPhone and iPad users would flee to Android.”
A game of chicken with developers, let alone Facebook, would be dangerous. But if Apple wants what happens on your iPhone to, finally, actually stay on your iPhone, it may be a game that it needs to play.