In what could land a blow to Apple’s reputation a Reddit user has made revelations that add fuel to the fire that is the privacy debate.
Contents
The Discovery
Citing his experience with the 9Gag app, Redditor “blackmolecule” discovered by chance that even after uninstalling the app and redownloading it, he was still automatically signed in to his account without password prompt, and that device identifier is kept.
He further found user data stored in Keychain, Apple’s password management system. Data remains stored even without syncing with Keychain and seemingly the only way to purge it is to do a factory reset.
A Super Cookie?
The data though can be transferred to the device from Keychain again after restoring backup. blackmolecule likened this behavior to a “super” browser Cookie that can’t be viewed or gotten rid of without complete factory reset, a big inconvenience.
To remedy the situation the user suggested adding the option to view and delete data from an app stored in Keychain. Around a hundred people backed this up as evidenced from the number of upvotes.
Other Points of View
An iOS developer chimed in by saying that it’s doubtful this discovery is concerning for privacy since only apps from the same vendor can read the data. On the contrary a potential mechanism that automatically removes data from an app upon uninstallation would be riskier since it would “open a potential attack vector”. The bigger implication is that one must ensure to perform a complete factory reset if they are considering selling the phone.
Another user pointed out that this has happened likely due to caches and files left in the device after the uninstallation, which is also common behavior witnessed in other OS’ including Windows and Android. The intention behind retaining the data is likely for convenience purposes so as to not have to enter credentials every time the app is opened.
From the iCloud Point of View
Another user offered explanations for the behavior. In the case of games, even if the player does not log in daily they would still want their progress to be maintained and not deleted.
Login tokens are stored by apps in Keychain, which do not get deleted after removing the app. The Keychain is encrypted and tied to the device which does not create backups so data manipulation is not a concern. Other apps cannot access it, an intentional design by Apple for usability purposes.
It must be noted however that this is no reason to panic since it is unlikely the data is being used for tracking or targeting. It can be an annoyance but if Apple decides to address this issue device owners can rest assured their device and online activity information is in good hands.
iOS 14 Users Unable To Receive Texts or WhatsApp Alerts, learn more.
Comments are closed, but trackbacks and pingbacks are open.