Rejected: Don’t Let Apple Determine Your App’s Fate

Apple, in centralizing control over data collected on iOS, is rejecting apps from the App Store, essentially 50,000 apps at a time.

For example, the App Store recently rejected updates to an app that used a third party software development kit (“SDK”) from Adjust. As a result of the SDK and according to Apple (as reported by Forbes):

“[Your app]…collects user and device information to create a unique identifier for the user’s device [via fingerprinting]… Per section 3.3.9 of the Apple Developer Program License Agreement, neither you nor your app can use any permanent, device-based identifier … for purposes of uniquely identifying a device.”

Apple, acting as judge and jury, issued its ruling, quasi-court like:

“to resolve this issue, remove any functionality from your app that uses algorithmically converted device and usage data to create a unique identifier for the user’s device. You should also remove any related code or implemented SDKs that support this functionality” (emphasis added).”

This “ruling” – if that’s what we call it – is significant because it shows the level of technical detail needed to comply with the ever-shifting iOS requirements. Also, the Adjust SDK that was integrated into the app in question potentially supports thousands of apps, meaning one SDK or set of third party code can result in a tidal wave of issues across the app ecosystem. In fact, according to its website, Adjust is “[t]rusted by over 50,000 apps worldwide.” Adjust released an update to respond to this issue.

Let’s also not forget that iOS/iPadOS/tvOS 14.5 is coming. This means legal and development teams alike must be ready to: (1) identify those apps that either “track,” as defined by the privacy requirements, users or access the IDFA and (2) implement the AppTrackingTransparency (“ATT”) framework accordingly.

What to do?

As these reports are showing, meeting legal and industry privacy requirements require a technical solution. With a network traffic analysis done by NT Analyzer, you can be confident that Apple will not turn up any data leakage or tracking that you do not know about, including any that is used by third party SDKs.

NT Analyzer’s downloadable report and designated module for iOS gives organizations the information they need, at both a technical and legal level, to meet its iOS/iPadOS/tvOS privacy requirements, including, but not limited to:

  1. Identifying all parties collecting data (as well as which SDKs are integrated into the app);
  2. Identifying all data types, including personal information/data (at both a technical – e.g., hashed, encoded, fingerprinting, IDFA, etc. – and traditional level); and
  3. For each data type, determining: (i) what is the ‘”purpose” of the data; (ii) if the data is linked to the user; and (iii) whether the data is used for “tracking” (all terms, as defined by the Privacy Requirements)

Since the vast majority of this data comes from a consumer’s device, and not an organization’s own data center, organizations are largely blind to the collection and sharing of this data. With new laws such as CCPA and industry standards like iOS, companies are now responsible for all data. In other words, the traditional cybersecurity model only protects the castle, but with NT Analyzer you also have a clear view of the entire kingdom and can monitor all roads leading in.

Steven Roosa

Author Steven Roosa

Steven B. Roosa advises companies on a wide spectrum of technology and legal issues pertaining to privacy and data security. Steve serves as partner in Norton Rose Fulbright's New York office and oversees the firm's privacy compliance tool suite, NT Analyzer.

More posts by Steven Roosa
Steven Roosa

Author Daniel Rosenzweig

Daniel B. Rosenzweig is a lawyer in Norton Rose Fulbright's Data Protection, Privacy and Cybersecurity practice group in the New York office. Daniel is part of the core team that oversees NT Analyzer to help clients navigate the complex data protection and privacy landscape.

More posts by Daniel Rosenzweig