Apple’s Stricter Privacy Measures Will Require Developers to Explain Their Need to Use Sensitive APIs

Apple is tightening its Developer Program policies in an attempt to prevent third-party apps from secretly tracking users without their knowledge or consent.

Starting this fall with the release of iOS 17, certain application programming interfaces (APIs) that permit third-party apps to interact with aspects of iOS and iPadOS will now require developers to supply a reason before Apple will allow them to be used.

According to a new entry in Apple’s developer documentation discovered by the folks at 9to5Mac, Apple has designated several “required reason APIs” that have the potential of being abused by developers for purposes other than those for which Apple provides them.

The most common misuse of these APIs is for “device fingerprinting,” a technique that allows apps to track users by associating them with information specific to their devices. This can include common attributes such as model, screen resolution, and iOS version or even the way you have your user preferences configured in the iOS Settings app.

While much of this data is meaningless on its own, when combined, it has the potential to create a unique “fingerprint” that a developer can then associate with you, allowing them to track your activity across multiple apps even if you’ve opted out of this kind of tracking via Apple’s App Tracking Transparency features.

There’s a reason that Apple has been very careful with the wording in the tracking permission prompts that appear when a third-party app wants to track you across other apps and websites. The options available are “Allow” and “Ask App Not to Track,” since you can really only ask — less scrupulous developers can and will find other ways around this, and Apple is well aware of that.

There are other techniques that developers over time have developed, like fingerprinting, there’s a bit of cat and mouse game around other ways that an app might scheme to create a tracking identifier. And it’s a policy issue for us to say “you must not do that.” And so, we can’t ensure at the system level that they’re not tracking. We can do so at the policy level.

Craig Federighi, Apple’s Senior VP of Software Engineering

Nevertheless, as a policy, Apple prohibits apps from using device fingerprinting to bypass its privacy features, and now it’s adding another layer of security to enforce this.

With iOS 17 and its brethren operating systems, any APIs that could potentially be used for device fingerprinting will be off-limits unless the developer can provide a valid reason why their app needs to access these APIs.

Some of the APIs on the list right now involve accessing file timestamps, information on how long it’s been since you last restarted your iPhone or iPad, available disk space, active keyboards, and the commonly-used UserDefaults API.

That last one may create a bit of a wrinkle. Since it’s used by many apps to store user preferences, it seems that most apps will be able to provide a valid reason for why they want to access this one. However, the others will be a bit harder to explain for most apps, so it should help to curb fingerprinting at least a bit.

Apple also plans to phase in this new policy over several months. Starting this fall, developers will be notified by email if they file to provide a reason for using one of these APIs, but Apple won’t start rejecting apps for failing to include this information until next spring. This should hopefully give developers time to adjust to the new rules without the risk of having an app rejected just because they forgot to fill in the necessary blanks.

While “required reason APIs” are relatively new, Apple has long restricted entire classes of APIs by requiring developers to apply for and receive an “entitlement” before they can use specific features. This includes access to CarPlay, the ability to become a default browser, and even access to notes in your Contacts since those often contain sensitive information. Not every app that can ask for permission to read your Contacts gets access to the notes field; developers have to get specific permission from Apple to be able to do this.

However, unlike entitlements, required reason APIs won’t require developers to go through an application process. Instead, they simply need to explain in their app submission why they need to use a more restricted API. This should help streamline the process for developers and suggests that Apple is unlikely to challenge these reasons unless they seem significantly off base.