This. This is why everyone who wants to fingerprint and collect tons of data on end users pushes them hard on installing an app. The amount of valuable data is 10x what’s available in the browser
And it is not just the fingerprinting, it is also that a good number of people will install an ad/tracker blocker in their browser, but almost nobody knows or cares about the multiple trackers that most apps have.
To make it worse, Apple's naming undermines consciousness about this issue, since they have an option to block cross-app/site tracking (which IIRC blocks access to the advertising identifier), but called it "Allow Apps to Request to Track". A lot of people seem to hold the belief that disabling this option blocks all in-app trackers. It just blocks one way to correlate, but as this app shows, there are other ways to correlate (as well as correlating server-side using IP addresses, etc.).
On this topic, I somehow missed that Apple added a generic URL filtering API to macOS/iOS 26, which extends Safari filtering to the whole OS (well, as long as apps are using Apple's APIs). It's not perfect, but a nice addition to DNS-based blocking:
Aside from technical methods to address this, all this in-app tracking must be a violation of the GDPR, no? I can't imagine this all falls under legitimate interest.
To make it worse, Apple's naming undermines consciousness about this issue, since they have an option to block cross-app/site tracking (which IIRC blocks access to the advertising identifier), but called it "Allow Apps to Request to Track". A lot of people seem to hold the belief that disabling this option blocks all in-app trackers. It just blocks one way to correlate, but as this app shows, there are other ways to correlate (as well as correlating server-side using IP addresses, etc.).
On this topic, I somehow missed that Apple added a generic URL filtering API to macOS/iOS 26, which extends Safari filtering to the whole OS (well, as long as apps are using Apple's APIs). It's not perfect, but a nice addition to DNS-based blocking:
https://adguard.com/en/blog/apple-url-filter-system-wide-fil...
The author of Wipr added support to Wipr 2 as an extra in-app purchase:
https://kaylees.site/wipr2-whats-new.html#filtr
Aside from technical methods to address this, all this in-app tracking must be a violation of the GDPR, no? I can't imagine this all falls under legitimate interest.