Apple rejecting apps that collect data for 'device fingerprinting'
As part of previously announced plans to safeguard the App Store and users of its various platforms, Apple this week began to reject apps and app updates crafted with third-party SDKs integrating "device fingerprinting" data collection techniques.
A number of developers are noting the change in policy, which is related to Apple's upcoming App Tracking Transparency safety measures set for release alongside iOS 14.5. As Forbes reports, Radish Fiction, Heetch, an app from InnoGames, and apps relying on an SDK from Adjust are among the recent rejections.
"Our app just got rejected by Apple's app reviewer, blaming the MMP SDK for building a fingerprint ID," Aude Boscher, a growth marketing product manager at Heetch, said in an industry Slack channel. "I saw other people complaining ... so it might soon come up for you as well!"
Apple is informing developers of rejected apps that their software contains tools to track users, a practice that runs afoul of App Store Guidelines governing data privacy.
"Your app uses algorithmically converted device and usage data to create a unique identifier in order to track the user," the message reads. "The device information collected by your app may include some of the following: NSLocaleAlternateQuotationBeginDelimiterKey, NSTimeZone, NSLocaleGroupingSeparator, NSLocaleDecimalSeparator ..."
Further, marketing analyst Eric Seufert called attention to what appears to be a crackdown on apps that integrate an SDK from Adjust. A version of the third-party tool collects data for device fingerprinting, or probabilistic attribution, which is a method of identifying and tracking devices by aggregating data points like software version, time since last update, time since last restart, and charge level, among others. Device fingerprinting can be used as an alternative to IDFA, an advertising identification method that Apple seeks to limit with ATT.
Adjust claims more than 50,000 apps use its SDKs, potentially putting thousands of iOS updates at risk of rejection. As noted by Forbes, however, Adjust in the last 14 hours updated its SDK to strike intrusive code, likely bringing the software in line with Apple's regulations.
Apple will enact ATT policies with the launch of iOS 14.5. Importantly, IDFA tracking will be strictly opt in on a per-app basis, meaning users need to expressly grant permission to track when an app first launches.