In the frame of its tracking prevention policy, Apple recently communicated its current refusal to implement 16 web APIs, citing privacy concerns. Apple emphasized that the decision could be reconsidered if the proposals evolve to reduce the fingerprinting attack surface.
Safari recently blocked third-party cookies by default. Apple has now announced that it will not implement 16 web features which increase fingerprintability without offering adequate protections against it:
Here are some examples of features we have decided to not implement in part due to fingerprinting concerns:
- Web Bluetooth
- Web MIDI API
- Magnetometer API
- Web NFC API
- Device Memory API
- Network Information API
- Battery Status API
- Ambient Light Sensor
- HDCP Policy Check extension for EME
- Proximity Sensor
- WebHID
- Serial API
- Web USB
- Geolocation Sensor (background geolocation)
- User Idle Detection
In addition to not implementing the previous proposals, Apple will also either remove or alter support for existing APIs or web features that are fingerprinting vectors. That includes removing support for custom fonts, the Do Not Track flag, requiring user permissions to access the Device Orientation/Motion APIs on mobile devices, and more.
Some developers have lauded Apple’s decision, and emphasized also the security concerns related to some of the 16 APIs:
[The Web Midi API] is actually a bit horrifying from a security perspective. In addition to allowing you to use MIDI keyboards as input devices on websites, it also allows websites to send binary firmware updates to MIDI devices.
[…]
Mozilla’s engineers have reasonably pointed out that an attacker utilizing Web MIDI could use MIDI devices as a stepping stone to launch an attack against the user’s PC outside of the web sandbox. One such attack might be by reprogramming the device to appear as a standard USB computer keyboard and “typing” commands to the host.
[…]
As neat as Web MIDI is, I think Mozilla and Apple probably made the right security call here.
Other developers attributed secondary intentions to the move:
There may be some legitimate fingerprinting concerns. But given the list of API’s, it’s hard not to see this as Apple crippling PWAs to prevent them from replacing native iOS apps (and hurting Apple’s revenue from the Apple tax).
Google, on the other hand, is pushing web APIs to close the gap between web apps and native apps. Progressive web apps equipped with native APIs are instrumental to Google’s vision. The project Fugu, which gathers the API proposals considered for the standards track, is open to all Chromium contributors and organizations. The list of in-process APIs is available at https://goo.gle/fugu-api-tracker and includes some of the previously mentioned 18 APIs.
Fingerprinting involves measuring the uniqueness of static and dynamic device configuration (e.g. built-in hardware, user settings, installed peripherals), browser configuration, and user browsing data. Advertisers use this unique pattern (fingerprint), coupled with other fingerprints and data points, to uniquely identify each user.
With the increasing restrictions on cookies, user fingerprinting has become the standard method of tracking users in the online ad tech market.