Skip to content

Apple releases iOS 15.2

On Monday, December 12th, 2021 Apple released updates for it’s popular iPhone and iPad operating systems, bringing the version number to 15.2 for each.

Nestled in the feature list of the update are two important call outs along the privacy front.

Updates to “Hide My Email”

Apple released a number of privacy features alongside iOS15, and amongst those was “Hide My Email” a service available to iCloud+ subscribers for as low as .99 cents a month. This feature, when invoked allows users to mask their real email address with a email alias, which forwards email to the real user address.

This process shields the real email address from data collection and abuse by organizations as limits the email address being used across domains / companies, thus hindering targeted advertising efforts such as Unified ID 2.0.

The operating system update enhances this protection by bringing it front and center into the Apple Mail email client. Now users, while they are writing mail, will be able to select if they want their real email address to be provided to the receiver, or an alias by tapping the From: Field.

It should be noted that email is still deliverable. However because the user can delete the alias at any point, it effectively means they can unsubscribe without telling you. Trial sign ups dependent on nothing more than a email address will have to consider that this may result in a sizable increase in trials as it is easier to generate a alias than it is to construct an entire email account.

In my testing emails created with this feature were from the icloud.com domain. Meanwhile email aliases created from the Private Relay feature were from privaterelay.appleid.com. Should you see either domain in your email file, you can know that the users real email address is hidden and can factor they may no longer even be getting / reading email sent to the alias unless you can verify activity some via some other means. Note however, if they are using Apple Mail, chances are they are also shielded by Mail Tracking Protection rending common KPIs such as ‘Open Rate’ skewed.

Introducing the App Privacy Report

New with this release is the App Privacy Report. This feature must be enabled, but once done so will record for the user how many times privacy-sensitive data or device sensors are accessed in the past 7 days. It also allows the user to monitor network activity used by the application in question.

For data and sensors, a report may indicate how often an app uses access to items such as location, camera, microphone, contacts, photos and more. The user can reference the report and use it as a gauge to see if the app is acting in line with their expectations.

For network activity, it’s a bit more in depth. For starters, it’ll show domains that have been connected to either by the app, or websites visited within those apps (such as through a web view). This list of domains may end up revealing apps not acting in accordance with their published data collection practices. This may thus expose a violation which could prompt users to complain to Apple to investigate.

If we take a look at the Reddit app for instance, we can see all the domains that Reddit contacts on open, including external ones such as branch.io and app-measurement.com. So by drilling into the App Privacy Report an app’s connections are easily exposed allowing users to see if the app is potentially doing something it shouldn’t be.

The additional risk for apps here is that users whom engage with the report may call out brands who are not in compliance and the risk to brand reputation should not be discounted. It may be worth double checking the app is acting like you believe it to be and updating as needed.

It should be noted that the feature does not record network activity from browser private windows. However apps which have private mode (but are not browsers) will have their traffic reflected here. This is noteworthy because webview apps may be subject to AppTracking Transparency requirements, which may mean if a user opts out of the native app, the webview has to also comply as per Apple’s FAQs.

If your interested in turning on the App Privacy Report yourself, head to Settings, tap on Privacy scroll to the bottom and tap on App Privacy Report then toggle it to “on”.

Published inMobilePrivacy