iOS 17: The Future of Privacy and Security on iOS

iOS 17: The Future of Privacy and Security on iOS

In the mobile and app sector, app developers and marketers often find themselves having to adapt to the influences of major tech companies like Apple and Google, who essentially control the app stores. The release of new updates each year can significantly alter your app growth strategies. This month, Apple unveiled iOS 17. Whilst Apple have released some interesting new features as part of its new OS release (like visual look up or interactive widgets), there have been vital updates around privacy and security which app owners need to take heed of. These are especially important for app owners to consider as they plan their data collection strategies for 2024, ensuring they remain compliant and retain user trust.

Here’s what you need to know.

Source: ‘Pal About’ tracking permission

iOS 17 Privacy and Security Changes

Apple has always prioritised privacy and security of the end user. With the release of iOS 14, it took a big step forward to deprecate the IDFA. With the release of iOS 15, it made further changes around privacy and security while trying to give users more control on how their data is being used by apps. iOS 17 reinforces this commitment by introducing new policies aimed at enhancing user data protection. Here’s how.

Apple Cracks down on Fingerprinting

The most evident changes are stricter rules around fingerprinting. Fingerprinting is a technique used for ad-related tracking. It involves creating a unique identifier for a device based on its software and hardware characteristics, which can then be used to track users across different websites and applications, circumventing explicit tracking consent from the user.

As a new move by Apple to strengthen its stance on user privacy, it has given app owners a deadline of ‘Fall 2023’ to declare its intent behind using (any of) a small set of APIs that have the potential of being misused for fingerprinting.

The APIs include:

  • active keyboard
  • disk space
  • file timestamp
  • system boot time
  • user defaults

If app owners require these APIs for the functionality of their product, they need to make it explicitly known in the app’s privacy manifest. If this is not adhered to, you will receive a notice and potential submission rejection if you haven’t provided an approved reason.

How could this impact your apps? Let’s review the case of StorageGuruPlus+ (our completely made-up example app). This app helps users manage and optimise their device storage by providing insights into used and available space and offering suggestions for freeing up storage on their iPhone.

The app uses the disk space API to assess the available and used storage space on the user’s device to provide accurate insights and optimisation suggestions. This API is on Apple’s list of APIs that require ‘declared reasons’ for use, because it can potentially be used for fingerprinting. As this API is essential for the functionality of the product, StorageGuruPlus+ can make the use of this API clear in their app’s privacy manifest and ensure that the app’s submission is cleared by Apple.

Overall, iOS 17, Apple is trying to eliminate excessive data collection that may violate their new policies. As we covered in our recent app compliance blog, these ever shifting policy changes make the submission and approval process with Apple even more complex. Make sure follow Apple’s rules and be explicit in how you will use your users’ data as part of your submission process, otherwise they may reject your app.

iOS 17 Unveils Link Tracking Protection

With the release of iOS 17, Apple has announced its crackdown on UTM tracking links, implicating web-ad attribution and more. UTM trackers are an essential tool in a marketer’s toolbox. Now, the release of Link Tracking Protection will strip some tracking parameters from URLs that are clicked via Private Browser Mode on Safari, or Apple’s native Mail & Messenger apps. On the surface, this doesn’t seem to be a hugely disruptive change for app owners, especially as the pool of traffic being tracked through these channels may be small. It may, however, be the first step in a grander privacy shift on user tracking initiated by Apple.

Whilst the UTM tracking parameters are being stripped, the link will still work to drive users to their desired destination. Currently, only a few tracking parameters are being affected (effectively stripped) such as the Google and Facebook Click Identifiers (and some other big tech providers), which could be used to support attribution of the buyer journey. We anticipate that this list will continue to grow, and the weight of these updates will really be felt more broadly. For example, if more common Marketing Automation providers find that their email campaign UTM links are stripped, you’ll lose essential campaign insights.


The iOS 17 changes make it even more important that you choose your vendors carefully. Your app marketing agency partners, like Yodel Mobile, and MMPs are ahead of the curve in working towards tracking and data transparency solutions in light of new privacy policies put forward by Apple and Google. Leading MMP, Branch, have stated that they’ll support apps in supplying privacy manifests, sign SDKs to confirm authenticity, and are updating their SDKs and backend infrastructure in line with Apple’s most recent guidelines, differentiating between “tracking” and “non-tracking” network traffic. Make sure to liaise with your MMP partner to see how they are tackling these big changes and future-proofing your data collection processes. Finally, ensure to follow Apple’s submission process, be completely transparent around your API usage, and start working towards mitigating any impact of new tracking limitations or disruption to your app release schedules.  

Smokehouse Yard, 44-46, St John Street, London, EC1M 4DF 🇬🇧

Smokehouse Yard, 44-46, St John Street, London, EC1M 4DF 🇬🇧