
Even if you install just a single app on your factory-reset iPhone and ask it “Not to Track,” you still expose yourself to a vast tracking ecosystem and anyone willing to purchase your location and other sensitive data.
Apple has an option to ask apps to stop tracking your activity. But what does the “Ask App Not to Track” button actually do?
Not much, apparently. The app developers won’t get your Advertising Identifier (IDFA), a unique number attributed to the user, and that’s basically it.
However, the app will still be able to collect any data it has access to. As the security researcher known as ‘Tim’ demonstrated, there are a multitude of other IDs and ways to track you down.
In a blog post currently making waves on YCombinator, Tim detailed an experiment in which he installed a single app, tracked its communications, and uncovered shadowy user data selling practices.
Apple’s support page states, “If you choose Ask App Not to Track, the app developer can’t access the system advertising identifier (IDFA), which is often used to track.”
“The app is also not permitted to track your activity using other information that identifies you or your device, like your email address.”
Dozens of other IDs
Regardless of users’ choices, “the free apps you install and use collect your precise location with a timestamp and send it to some third-party companies,” the researcher warns.
Through a complicated scheme, advertisers and data brokers obtain extremely detailed data, including screen brightness, memory amount, battery level, or whether a user is wearing headphones.
They may not get the Advertising ID, but the data beams included over 20 other IDs, such as Identifier for Vendor (IFV), Transaction ID (TID), Session ID (SID), Device ID, or User I (UID).
“There is so much data in the requests that I’d expect ad exchanges to find some loophole ID that would allow cross-app tracking without the need for IDFA.”
A steep paywall stopped him from finally buying back his own and millions of other people’s location logs.
“I don't have a big enough company to take a trial or spend $10-50k to buy a huge database with the data of millions of people and me,” the security researcher posted on timsh.org.
App developers may not be even aware of user data collection
The experiment included a single app on an old factory-reset iPhone 11 and a proxy to record all traffic. The app was a game made by KetchApp, which has published more than 200 games in the App Store. But this part was not exceptional.
Once the app was installed, it initially sent requests every split second.
The requests, which included geolocation data and 200 other data points, were sent directly to the provider of the software development kit (SDK) used to create the game, in this case, the 3D engine Unity. The researcher noted that the shared location was not precise because the iPhone had no SIM installed and was connected to WiFi.
Facebook was another receiver of requests with IPs and timestamps despite not having any Meta apps installed or direct consent from the user.
Because Tim asked the app not to track, the “advertisingTrackingId,” one among the other 200 keys, was set to all zeros.
Before reaching the final advertiser, the data flowed to a Demand-Side Platform (DSP), which in this case was Moloco. On its website, the company boasts an expansive reach of 6.7 billion devices across more than 190 countries.

Many advertising solution companies that offer real-time bidding do the same. They connect advertisers with banner spaces while also aggregating massive amounts of user data for better targeting. Any bidder can then access parts or even all of this data.
“Imagine a real ad exchange that bids normally and collects all of the data along the way ‘as a side gig.’ Basically, this is how intelligence companies and data brokers get their data,” the research said.
A quick search also reveals hundreds of data brokers that sell the collected data. Some even offer to match the advertising identifiers and provide real-time updates.
“But my goal is to track and stalk people like myself or anyone else, so I need some way to exchange MAIDs (advertising IDs) for the actual personal info: name, address, phone number... No problem!”
The researcher shared that another company that provides this service was discovered. The provided data sample includes full names, emails, phone numbers, physical addresses, and other personal info linked to advertising IDs.
This data can be obtained by anyone, not only intelligence and security agencies. These large datasets contain the geolocation history of anyone who “used some free apps for a bit.”
The author noted that while each part of this data trade seems legitimate, it’s the bigger picture “that makes them look ugly.”
DNS sinkhole might help
The privacy erosion, security risks, and other potential implications of this experiment stirred a discussion on Hacker News, which received the most upvotes over the weekend. Many users feel that privacy is a losing battle without systemic change, given the profit incentives of tech companies and data brokers.
“Apps may not track by an ID, but could easily ‘fingerprint’ users (given how much other data is sent), so even without a unique ID, enough data would be provided for them to know who you are 99% of the time,” one of the users said.
Some shared advice on how to approach this problem, including not giving location permissions, using mock GPS-mocking features, flooding providers with fake data, using DNS filtering solutions, such as private DNS services or even setting up their own Pi-Hole, and enabling ad blockers.
However, others also felt that no measures could protect them from being tracked because developers already use workarounds, such as hardcoded IPs.
Your email address will not be published. Required fields are markedmarked