Apple Doesn't Fully Respect OS Privacy Settings
Researchers find telemetry going to Apple servers even when iPhone Analytics is turned off.
Apple's iOS has a setting that lets you turn off iPhone Analytics. The description of the setting says it will “disable the sharing of Device Analytics altogether.” Security researchers Tommy Mysk and Talal Haj Bakry found evidence that Apple’s app store seems to report data to Apple even when iPhone analytics is turned off. Gizmodo asked them to investigate other apps and they found that Apple's first-party apps -- Music, Apple TV, Books and Stocks also exhibited the same behavior. The Apple Health and Wallet apps did not collect data even if permissions were on.
On Twitter they described the App Store app as recording user user data and sending it to Apple. They say it included what you tapped on, what you searched for, what ads you saw, how long you looked at an app and details like device ID, screen resolution and keyboard language. Mask said with personalized ads, personalized recommendations, and sharing usage data and analytics all off, the data still appeared to be collected and sent to Apple.
One possibility for such collection would be iCloud syncing, but the analytics data was sent to a separate address from iCloud communications. The researchers used a jailbroken iPhone running iOS 14.6 and a stock iPhone running iOS 16. The jailbroken iPhone let them decrypt traffic and see what was being sent. The stock iPhone let them verify that similar packets were sent to the same analytics addresses at the same times under the same circumstances. Though they couldn't examine the content of the packets.
Apple has not responded to the research.