[58x14]

Years ago I tried to install and sign up for Turo on iOS to rent out a car I owned. It was a luxury car with a rebuilt title.

After I put in the VIN of the car, I received an error, and inexplicably I was banned from the app. No notification as to why, no "we don't accept rebuilt title vehicles," nothing. Naturally I scoffed, deleted the app and forgot about it.

Last year a friend rented a few cars on Turo for a trip and added me as a driver to one of them. I had switched phone numbers but kept the same phone. I downloaded Turo again and signed up with a new phone number and new email.

Before Turo even asked for my driver's license information, I was blocked again. It must be due to fingerprinting, which persisted over years.

I'm unsure how much apps can learn about your user profile, other apps you have installed, and other uniquely identifiable data. I've assumed it was limited, but perhaps I've been naive.

I guess these new rules are generally good? But I can imagine for every nefarious usage of these APIs, there can be a plausible cover reason...

[bbatsell]

Since you kept the same phone, that was probably DeviceCheck, which gives you 2 bits to store “fraud” related flags.

https://developer.apple.com/documentation/devicecheck/access...

[josephcsible]

Why does Apple let your device work against your own interests? If an app developer wants your phone to detect you committing "fraud", that should be their problem.

[pessimizer]

Why would Apple ever prioritize their customer's interests over their own? They've never once suggested that they would, and their customers prefer a hierarchical relationship. Apple is a company that whitelists which functions of a general purpose computer that their customers will be allowed to use.

That makes some people feel really secure, like the company is a loving parent, although companies don't love. They decide what is profitable and what is not.

[jefftk]

Why do mail providers work against your interests by blocking outgoing spam? Because in aggregate it's beneficial to users if external parties can trust the more.

[josephcsible]

That's different because you block spammers' messages on your servers, without the cooperation of the spammers' computers.

[lesuorac]

I mean the same reason Apple uses your phone to scan for nearby AirTags.

This isn't a feature that is actually costing them sales but a lack of DRM/etc affects what apps will be in their store.

[JohnFen]

It certainly costs them some sales, but not enough for them to care about.

[duskwuff]

That's a weird hill to die on.

Service providers need to ban people sometimes. This includes people who are savvy enough to know how to delete and reinstall an app to clear its settings. Never permanently banning anyone simply isn't a thing that's happening.

If Apple didn't provide DeviceCheck, or something similar to it, service providers would use some other means of deterring abuse. There's a couple directions they can go in, but they're all generally worse for users (e.g. using invasive tracking, requiring users to pay for service, etc). DeviceCheck is about the least invasive way I can imagine this being implemented.

[computator]

> probably DeviceCheck, which gives you 2 bits to store “fraud” related flags

Does resetting your iPhone (Erase All Content and Settings) clear out data like that?

Does doing a restore from backup put that data back on your iPhone?

[chockablock]

The linked article says the 2 bits are stored on Apple’s servers.

I.e. they could persist even if the device were bit-for-bit reset to factory state.

[kccqzy]

Is that basically serving the same purpose as Android's SafetyNet attestation?

[saagarjha]

It’s a little different since it’s meant to basically be a persistent identity. App attest is the more comparable technology for SafetyNet.

[loumf]

It could have been simply some data put in the keychain. That persists through app deletion.

[BillinghamJ]

It used to. They have largely changed that now - all data is deleted once the last app from a given vendor has been deleted (though it's not instant, and seems to apply weirdly on TestFlight + ad-hoc builds)

[joshmanders]

I delete Facebook a few times and every time I installed the app the first screen I got prompted with was "Hello Josh, would you like to sign in with your stored details?" Not all data is scrubbed. This persisted to even today running on iOS 17 Public Beta.

[Two4]

Did you also delete Messenger, Instagram, Whatsapp and Threads?

[joshmanders]

Yes.

[TheNewsIsHere]

I have experienced the same thing. Even when Apple made changes in Keychain policy to try to combat fingerprinting, “I never got the memo.” That sounds nuts, but I’m in the same boat.

I’ve had a few apps I’ve redownloaded months later, the only one from the developer, and my auth state was preserved.

I keep hearing that the Keychain data should be deleted, but my iCloud Keychain is filled with long-dead data

[can16358p]

It's most probably keychain.

[bobbylarrybobby]

Probably keychain, but maybe just iCloud?

[ChrisMarshallNY]

On the app I'm writing, keychain info remains.

I have a specific debug setting to wipe the keychain.

Sign in with Apple also generates a persistent ID with each app. That could be used to fingerprint the user, but not the device.

[sumuyuda]

I think this behavior hasn’t changed: https://developer.apple.com/forums/thread/36442

[ec109685]

Everything in this space is so muddled. Deleting the last app from a vendor should erase that data. On the other hand, if you restore your phone from another device, that should never require relogging into anything.

[RulerOf]

I used to go out of my way to take encrypted iTunes backups because it restored app state perfectly.

After some iOS release though, every app started doing "new phone, who dis" regardless of the restoration strategy, so I stopped wasting my time.

[dunham]

Yeah, last I checked, encrypted itunes backups would keep the "this device only" keychain data. Which would only work when restored to the same device - it needs the UID key from the secure enclave to decode. (I wrote code a few years ago to decrypt the rest of the keychain.)

At one point, google authenticator started marking its entries as "this device only". I don't know if they've backed off on that since then.

[gruez]

This does not align with my experience. I see Uber automatically log me in on a fresh install after I've uninstalled the app for months.

[fauigerzigerk]

No, I tried to completely delete Tiktok. It's impossible.

[newZWhoDis]

Keychain and DeviceCheck are likely how.

Apple needs to get their shit together with these two APIs.

[Keirmot]

There’s other ways. Like iCloud - you can store something on a private container and it will persist in the users Apple ID