Checklist 253: App Tracking Opacity

On this week’s show:

• Facebook falls short of Q3 expectations, blames Apple
• Is Facebook using accelerometer data to track us?
• Another round of Apple security updates

Oh, poor you!

Facebook seems to be very unhappy with Apple (cue algorithmically weighted angry face emoji).  

In a quarterly earnings call this week, Facebook executives complained that Apple’s App Tracking Transparency (ATT) has negatively impacted their bottom line.

ATT, as you may remember from Checklist 217: The State of Apple’s App Tracking Transparency, is the iOS 14 privacy feature that requires apps to get a user’s permission before tracking them between apps or across the web. Facebook voiced concerns about the change early on, saying that it would harm user choice and small businesses. At least, that’s what they said publicly, though many observers reckoned that the company’s real concerns had more to do with their own advertising business. They were right to worry: Soon after the feature rolled out, data showed that only 6% of iOS users were opting in to tracking (shocking, we know).

On Monday’s call, Facebook CEO Mark Zuckerberg singled out Apple as a key factor in the “revenue headwinds” that his company experienced this quarter. An Axios piece, meanwhile, quoted company COO Sheryl Sandberg as saying that Facebook would have “experienced quarter-over-quarter revenue growth, if not for Apple’s changes.”

It’s worth noting, however, that Facebook has seen revenue growth — at least when measured year-over-year (the way that most analysts track it) instead of quarter-to-quarter. The company’s 2021 Q3 ad revenues came in at $28.2 billion: a YOY increase of 33%. Not bad by most people’s standards … but apparently not quite what Facebook was expecting.

Facebook stays on-brand

In other Facebook news this week, an Apple Must report highlighted a new privacy danger from the world’s biggest social network.

According to the report, Facebook is probably still collecting data on iPhone users — even the vast majority who have said “Do Not Track”!

The security researchers quoted in the piece say that Facebook appears to be collecting location metadata via images and IP addresses. Perhaps even more surprisingly, Facebook may also be using accelerometer data to track iPhone users.

The researchers point out that accelerometer data can be correlated with other data points to infer location and other information that you might prefer to keep private. (For a more in-depth look at this issue, see Is mobile sensor data the future of tracking? on the SecureMac blog.)

So is it possible to simply tell Facebook not to use your accelerometer data? Unfortunately, no. As the researchers note:

Currently, iOS allows any installed app to access accelerometer data without explicit permission from the user … Apps can figure out the user’s heart rate, movements, and even precise location. Worse, all iOS apps can read the measurements of this sensor without permission. In other words, the user wouldn’t know if an app is measuring their heart rate while using the app … We tested several apps, and Facebook and Instagram stood out. While Facebook reads the accelerometer all the time, Instagram only reads it when the user is texting in the DM. 

It looks as though Apple may need to expand ATT to include mobile sensor data … if everyone doesn’t delete their Facebook app first!  

Apple updates everything

Apple has issued another round of security updates as macOS 12.0.1, iOS 15.1, iPadOS 15.1, tvOS 15.1, and watchOS 8.1. As usual, there were some important security patches in these updates in addition to the new features. Here’s a breakdown of the most important updates:

iOS 15.1 and iPadOS 15.1

Apple fixed 22 separate security issues in these updates, according to the release notes. The potential impact of some of these bugs was quite serious, and included:

• User data and memory leaks
• Privilege escalation
• Disclosure of password characteristics (with physical access to a device)
• Arbitrary code execution (both with and without kernel privileges)

We’d recommend that everyone update their devices without delay.

macOS 12.0.1

Yes, it’s finally here: macOS 12 (a.k.a. Monterey). 

There are plenty of new features, as one might expect from a new OS release, but there are also quite a few security fixes as well. 

According to Apple, 12.0.1 addresses 37 separate vulnerabilities (and for those following the saga of security researcher Denis Tokarev, he was actually credited by name in this round of updates!). 

As for whether or not you should update to the latest version of macOS or wait a while, you may want to consider research presented at last month’s Objective by the Sea 4.0 security conference. One security researcher who examined the issue found that, all things being equal, “the current version of macOS is the safest one”.

watchOS 8.1 and tvOS 15.1

Last and, if we’re honest, probably also least in most people’s minds, we come to the security updates for watchOS and tvOS. 

While bugs in these OSes don’t typically grab headlines like iOS and macOS, they can still be serious. And this time around, Apple says that it fixed 16 security issues in watchOS 8.1, and 18 in tvOS 15.1. 

In other words, if you’re a watchOS or tvOS user, you should update right away as well!

For more security and privacy tips and how-tos, visit The Checklist archives. Do you have a question you’d like to ask (or a topic you’d like us to hit on a future show)? Write to us and let us know!