Mobile's unintended slippery slope

Posted by on April 21, 2021 · 3 mins read

Apple posted a FAQ on ATT a couple months ago and one of the questions caught my eye:

This looks like an innocent question and answer. Any content inside an app’s webview which tracks a user should display the ATT popup. The weird part, that Apple clearly acknowledges, is how things on the open web will be policed between app functionality in the future. Where does the authority of the App Store end and the open web begin? Is the native web view really owned by the app?

There is a very fine grey line between a mobile app and the open web. Most mobile apps can’t function without using http in some way. Apps and the internet are so tightly coupled, it’s hard to distinguish the place where things start and end. In digital marketing, this shows up most in web-to-app and app-to-web advertising campaigns that some very popular self attributing networks (SANs) are most famous for. Facebook, most notably, has a decent following of users using the Facebook mobile web app where they can see other advertised native mobile apps in its feed. Simultaneously, there are also scenarios where native Facebook app ads can redirect to an owned open website in a webview or the open web browser (usually Safari on iOS) which can be used to attribute an install back to the native Facebook ad through fingerprinted attribution – going against the currently written Apple ATT standards. Since Apple also owns Safari, you have to also assume that Apple will take a similar stance on fingerprinting here too.

Its unclear if Apple has an opinion on the matter yet, but most of the industry is of the opinion that iOS developers need to show the ATT framework popup in order to track a user across native mobile and Safari web. Developers definitely don’t want to catch one of the Apple reviewers on a bad day and have their app rejected. Facebook criticizes Apple most for intruding and limiting the original purpose of the open web, especially since Apple controls the majority of the eyeballs by default through Safari. Apple defends itself saying that FB uses their user data for nefarious purposes and they are just trying to protect consumer privacy.

If this is the case, how long until Apple begins to police its browser and the open web on privacy? Where does it go from there? I don’t think Apple intends to step on the open web and the principles that it was built on, I just find that it’s worth noting that this is an area currently getting overlooked.