Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Many App Store 'nutrition labels' have false information, report says

The new App Store privacy labels are prominent, but only after you've scrolled far down an app's listing

An investigation into the accuracy of privacy disclosures in Apple's App Store "nutrition labels" has found that a significant number are simply false.

Apple made its privacy notices, also known as "nutrition labels," mandatory for any new or updated iOS 14 app in the App Store from December 8, 2020. As reported by AppleInsider at the time, however, Apple appeared to be entirely dependent on app developers both complying, and telling the truth.

Now according to the Washington Post, a survey of app privacy notices has shown that, "many" are false.

The Washington Post does not say how many apps were checked, but claims that "about 1 in 3" of those tried were falsely reporting that they collect no data. These include the game Match 3D, social network Rumble, and PBS Kids Video.

All three have reportedly now made some changes, but during the Washington Post "spot check," each was allegedly falsely claiming to track no data. So was a de-stressing app named Satisfying Slime Simulator, which was reportedly sending information to Facebook, Google and others.

"Apple conducts routine and ongoing audits of the information provided and we work with developers to correct any inaccuracies," an Apple spokesperson told the Washington Post. "Apps that fail to disclose privacy information accurately may have future app updates rejected, or in some cases, be removed from the App Store entirely if they don't come into compliance."

The apps were reportedly tested in part in conjunction with a former National Security Agency researcher. The Satisfying Slime Simulator was sending Facebook, Google and GameAnalytics details of the user's iPhone IDFA, battery level, free storage space, volume setting, and general location.

Apple's forthcoming update to iOS 14 which will introduce a new App Tracking Transparency. Apps still using IDFA will require a user's specific permission to carry on.

Advertisers believe that most users, on being prompted to allow tracking, will choose to say no. Apple will offer advertisers an alternative framework, however, which it claims gives advertisers useful information, without compromising the user's privacy.

Google plans to adopt this new, more privacy-minded SKAdNetwork framework. Facebook continues to protest against the change, and may even take Apple to court over it.

As previously reported by AppleInsider, a number of major app developers have yet to comply with Apple's requirement for privacy or nutrition labels. Until they do so, Apple will not allow any new apps, nor updates to existing ones.

At present, it remains true that Apple is dependent on developers' honesty, but the system is also new. Over time, however, any developer who wants to have an updated app on the App Store will have to provide privacy information. As the App Store policy becomes the norm, and especially when IDFA is made opt in, the accuracy of the nutrition labels will only increase.



20 Comments

auxio 19 Years · 2766 comments

I'm thinking that Apple should add some automated testing around this which helps validate the labels

OutdoorAppDeveloper 15 Years · 1292 comments

But Apple's App Store is supposed to be safe! That was the reason they gave for why we are not allowed to install a third party App Store.
Folks, it is all just smoke and mirrors. There is no real security on the App Store. As long as an app has access to your information and the internet, it is not secure. From what I can tell as a developer, all of Apple's security features are really about protecting Apple, not their customers. It is also all about marketing. If you feel like you are being protected, you will buy more Apple products. Even so, Apple is at least making a show of being secure which is something no other company (Google, Facebook, Microsoft) is even attempting to do.

mjtomlin 20 Years · 2690 comments

auxio said:
I'm thinking that Apple should add some automated testing around this which helps validate the labels

Not possible unless Apple can install software on the developer's servers to monitor what user data is passed onto 3rd parties from there. Apple can only look at the app code and see what it is doing, and even then it is extremely difficult to follow the path any user data takes thru the app. Monitoring network access and transmission is trivial, but knowing exactly what data is being sent is not, especially with an automated system.

Policy, not policing, is going to be a more affective first step. As much as these developers may not want to be transparent about their data collecting and monetization practices, I'm sure most would rather be upfront than be caught screwing their users and outright lose the user's trust, not to mention being be held liable for being dishonest and sued.

roundaboutnow 13 Years · 755 comments

mjtomlin said:
auxio said:
I'm thinking that Apple should add some automated testing around this which helps validate the labels

Not possible unless Apple can install software on the developer's servers to monitor what user data is passed onto 3rd parties from there. Apple can only look at the app code and see what it is doing, and even then it is extremely difficult to follow the path any user data takes thru the app. Monitoring network access and transmission is trivial, but knowing exactly what data is being sent is not, especially with an automated system.

...

OK, so how did The Washington Post researchers find the data that the apps were tracking? I get that if an app developer gathered data to its own servers that it would be difficult to find out where it goes from there...

From the article, it appears that the apps were forwarding information directly to "Facebook, Google and others..." Do you suppose this was the case? If so, then some sort of automated testing may work to at least catch this type of direct data forwarding. 

temperor 6 Years · 78 comments

So for the nitwits responding here all smoke and mirrors and automated testing. This will take time to get perfect. Developers not playing by the book can simply disable time based code so that it passes the review. Once in the store the feature can becomes active. But fear not Apple will catch that eventually and they will get a warning and the boot when they do not comply ... 
By the logic of some here you should not lock your house, because hey one can enter if they really want. I applaud Apple for taking these steps and as always it will take time to perfect, but in this day and age instant everything is the motto, but hey arm chair comments are so easy and seem so valuable, though the once that make them never seem to think this completely through. Privacy and security take time and is an never ending cat and mouse race ...