[e28eta]

I’m fascinated that they aren’t requiring an entitlement for all usage of setting & posting notifications through this API. A way to share 64 bits of information (at a time) to any process on the device? That is right in the wheelhouse of tracking a user across apps.

I don’t specifically know the types of things that you’d want to share across apps, but there’s a long history of cross process information channels being removed or restricted.

If the system is storing values for you, and isn’t keeping track of which app they came from, now you’ve got persistent storage across app deletion & re-install, as long as there isn’t a reboot in between.

I think you could easily use it to work around IDFA or IDFV resets, as a simple example.

[tgv]

> That is right in the wheelhouse of tracking a user across apps.

The design is old. It probably predates facebook, so it's not been intentional, as your comment might be interpreted. But it certainly seems ripe for abuse. I'm curious if it would actually be used for that, because any app that can access internet already has a better way to share information.

[LunaSea]

Facebook predates iPhones by 3 years.

[jen20]

NSNotificationCenter predates the iPhone by 13 years, though…

[tgv]

According to the docs, NSNotificationCenter already was present in Mac OS X 10.0. It seems to be present in NextSTEP 3.3, which was released in 1995 (http://www.cilinder.be/docs/next/NeXTStep/3.3/nd/Foundation/...).

[varenc]

I was interning at Facebook in '07 when the first iPhone was released. Can confirm! Someone was 3rd in line at the Palo Alto Apple store and brought it over to the office.

Though iOS definitely predates 3rd party apps and the ad based economy. Which is a bit of a tautology.

[agos]

this is exactly where my mind went immediately - 64 bits is more than enough for easy (1 line!) unenforced cross-app tracking of a user for advertising purposes, basically a super cookie for iOS. If they now require an entitlement for this API it's a privacy win

[croemer]

Only sensitive notifications require an entitlement. Tracking wasn't mitigated.

[icoder]

The IDFV already supports tracking user across apps, as long as they are from the same vendor. It resets when apps from a vendor are removed from a device. Not sure if the user can reset it by themselves, but the vendor could then always tie things together using another self-generated identifier stored on the device, as long as any of its apps are on it, which boils down to the same.

I think the approach you describe allows roughly the same, except perhaps doing so without (or with different) permissions, and allowing to do this between vendors (that must agree upon this upfront).

[e28eta]

I think it’s most interesting for 3rd party SDKs (analytics, advertising, others?), because they’re in a position to have their code running in apps from different vendors.

[jillyboel]

As per the DMA if it's available to Apple's own apps it has to be available to third party apps as well. Of course apple will fight this tooth and nail so they can maintain their walled garden, making them billions per year.