[HN Gopher] Smart App Banners can be used to reveal Apple ID region
___________________________________________________________________
Smart App Banners can be used to reveal Apple ID region
Author : danpinto
Score : 60 points
Date : 2023-04-11 17:27 UTC (5 hours ago)
(HTM) web link (fingerprint.com)
(TXT) w3m dump (fingerprint.com)
| endisneigh wrote:
| I hate those things. Anyone know of a way to get rid of them?
|
| In particular, the "Open in the X app" banner is obnoxious. I get
| showing it once, but if I remove it, don't show it again.
| chankstein38 wrote:
| This generally seems to be a thing plaguing tech anymore.
| Within the last several years I've noticed the removal of "No"
| buttons in favor of "Not Yet" buttons and no way to say "Never
| show again." I don't understand why companies think repeatedly
| notifying me about the same thing will do anything but make me
| mad. You're not going to force me to install it or use your
| product or do whatever you're trying to force me to do by
| bothering me about it. I'll just not buy another product from
| you or find some way to make it stop one way or another.
| TazeTSchnitzel wrote:
| Use a browser other than Safari. Firefox for iOS doesn't show
| them.
| resfirestar wrote:
| Smart app banners don't work in webviews, so on iOS you could
| block this technique by using a different browser. However, most
| iOS browsers set a different user agent that's distinct from
| Safari, which might make you even more fingerprintable.
| clnq wrote:
| This works around VPNs, but something similar could also be done
| using the Accept-Language header or JS internationalization
| (Intl.DateTimeFormat().resolvedOptions().timeZone).
|
| It's a clever find, but also very disruptive to the user when it
| happens, and even using a binary search tree still takes a long
| time.
| withinboredom wrote:
| The accept-language header isn't very reliable. For example,
| I'm not anywhere near the US but my language is set to en-us
| because that is where I'm from originally (same with the
| timezone trick). So you end up just identifying immigrants,
| migrants, and tourists, not necessarily people on a VPN.
| clnq wrote:
| True, all three (including the Apple ID region) are not very
| reliable.
| latexr wrote:
| The method de-anonymises to the "Apple ID region". At most it
| gets your country. By design Apple's own iCloud Private Relay1
| anonymises at best to the country level, so I doubt they'll see
| this method as a problem.
|
| Though important to note:
|
| > this information remains constant across various networks and
| VPN usage.
|
| 1 https://support.apple.com/en-us/HT212614
| Nextgrid wrote:
| However the exit nodes used by Private Relay always map to your
| current country and not the billing region of the Apple ID,
| thus a persistent discrepancy is still possible.
| duskwuff wrote:
| > de-anonymize
|
| Where by "de-anonymize" they actually mean "detect what region
| the user's Apple ID is set to". The fingerprinting value of this
| is pretty weak, especially since, in most cases, it'll be the
| same as the country inferred from the user's IP.
|
| It's also trivial for Apple to mitigate if they consider it to be
| an issue -- they can make the banner appear regardless of whether
| the app is available to the user.
| a_vanderbilt wrote:
| Definitely a click-bait title. I'd argue the IP alone gives you
| even more useful information.
| tinus_hn wrote:
| I presume they also allow you to detect if you have the app
| installed or not.
| jaywalk wrote:
| No, the banner shows up either way and the size of the banner
| doesn't change based on whether the app is installed or not.
| So there's no way to determine whether or not the app is
| installed using this method.
| tinus_hn wrote:
| I thought a web page could take a screenshot of itself
| which would include the banner, but apparently that's a
| complete new rendering.
| mikeortman wrote:
| Your Apple ID country has a lot of implications if changed
| (certain app access will be available/restricted, payment
| methods, etc). You aren't going to be able to identify a user
| specifically, but you could detect if a user is currently
| traveling internationally or may be a frequent VPN user.
| anamexis wrote:
| This is the case anyways with the user's IP.
| Nextgrid wrote:
| The problem is that combining the two would actually give
| you significantly more information than either individual
| datapoint. A mismatch between Apple ID region and IP region
| will _very reliably_ identify a subset of users (either
| expats or travellers).
| hinkley wrote:
| Or VPN users, which is still relatively small.
| dang wrote:
| Ok, we've changed the title to reflect that. Thanks!
|
| (and thanks also to the user who emailed this suggestion to
| hn@ycombinator.com)
| strongpigeon wrote:
| Good find. I'm mostly surprised that Safari allows you to show a
| banner for any app. I would have thought that Apple would
| validate that the domain of the site matches what is registered
| in App Store Connect before it shows the banner, but apparently
| not.
|
| Not a huge deal, you're not fully de-anonymizing the user, but
| it's an information leakage regardless.
| 542458 wrote:
| > domain of the site matches what is registered in App Store
| Connect before it shows the banner, but apparently not.
|
| This might be by design... For example, a podcast website might
| be interested in showing a banner for the app that you can get
| their podcast on. (This isn't a defence of the banners
| themselves, which IMO are naggy and unnecessary)
| bluesign wrote:
| all good but demo said my Apple ID is Netherlands, while it is
| not.
___________________________________________________________________
(page generated 2023-04-11 23:01 UTC)