All Your Apple are Belong to Us: Unique Identification and Cross-Device Tracking of Apple Devices

Privacy is about people. Smartphones and laptops (e.g., iPhone, iPad, and MacBooks) are the most frequently used personal devices. Consequently, people with ulterior motives (e.g., advertisers) can easily connect to individuals through these devices. Although Apple is trying to provide the best protection of personal information on Apple devices, many approaches (e.g., private APIs and vulnerabilities) are being abused to uniquely identify users. Besides, identifying and correlating people's devices allows cross-device companies to track one person and target operations (e.g., advertising) on both of his/her devices. However, such cross-device tracking can principally reveal a complete picture of a person and become more privacy-invasive than the simple tracking.

In this talk, we will show a study of unique identification and cross-device tracking technologies of Apple devices. We first list several approaches (e.g., public APIs and vulnerabilities like CVE-2018-4322) to uniquely identify the Apple device even after a system rebooting or resetting. Moreover, we present advanced algorithms and vulnerabilities (e.g., CVE-2018-4321) to associate Apple device through deterministic user IDs (e.g., Apple IDs and phone numbers) and probabilistic data (e.g., device names, coordinate information, and IP addresses). Last but not least, we discuss feasible solutions (e.g., instrumentation and differential privacy) to prevent unique identification and cross-device tracking. It is worth noting that all vulnerabilities we found were reported to Apple (follow-up id: 710526756) and we believe our study can help Apple to maintain and improve the privacy of their products.

Presented by