How do apps obtain the personal data they list in app store privacy section?

[kofman13]

For instance, personal info linked to my identity "that may be collected" by apps. If i look at a game like Call of Duty mobile, it lists Email address.
If i look at Duolingo, it lists Coarse location, email address, Name, phone number.
Some other apps list all of the above plus more like financial information.payment information.

If I am not literally giving these apps any of this info like typing it in, how would they get my email address, phone number, name, or location... does iOS just automatically grant it to the app?

 

[MacCheetah3]

Foremost, some apps require an account, which often involves providing a username, email address, or phone number, as well as a password. In addition, they may request name, address, and other personal information.

As for collecting information:

Requesting permission​

Here are several examples of the things you must request permission to access:

• Personal data, including location, health, financial, contact, and other personally identifying information
• User-generated content like emails, messages, calendar data, contacts, gameplay information, Apple Music activity, HomeKit data, and audio, video, and photo content
• Protected resources like Bluetooth peripherals, home automation features, Wi-Fi connections, and local networks
• Device capabilities like camera and microphone
• In a visionOS app running in a Full Space, ARKit data, such as hand tracking, plane estimation, image anchoring, and world tracking
• The device’s advertising identifier, which supports app tracking

The system provides a standard alert that lets people view each request you make. You supply copy that describes why your app needs access, and the system displays your description in the alert. People can also view the description — and update their choice — in Settings > Privacy.

Privacy | Apple Developer Documentation

Privacy is paramount: it’s critical to be transparent about the privacy-related data and resources you require and essential to protect the data people allow you to access.

developer.apple.com

However, indeed, this level of transparency hasn’t always existed. I cannot recall all the stages of Apple’s privacy evolution, but here’s one:

Before iOS 14.5, developers could use a host of tools to track user data from within an app. Advertisers could then use it in conjunction with similar data from around the rest of the web to broadly identify information about a user and use that profile to better target them with advertisements (and sell those advertisement opportunities to other companies and businesses that want to focus on their specific marketing segments).

The main tool that’s been available to developers until now has been an Apple-controlled system that’s been around for almost a decade, Identifier for Advertisers (IDFA), but developers could also use other third-party tools and methods to cobble together user data.

Why Apple’s new privacy feature is such a big deal

A guide to Apple’s new privacy feature.

www.theverge.com

Mentioned twice now:

The advertisingIdentifier is an alphanumeric string that’s unique to each device, and which you only use for advertising. Use this string for frequency capping, attribution, conversion events, estimating the number of unique users, advertising fraud detection, and debugging. On devices running iOS 14.5 and later and iPadOS 14.5 and later, your app must request tracking authorization before it can get the advertising identifier.

\/

How to Find your Mac, iPhone, and iPad’s UUID

Your Mac, iPhone, and iPad all have unique ways of identifying them. If a developer asks for your UUID, here's how to find it.

www.howtogeek.com

 

[kofman13]

So you

Foremost, some apps require an account, which often involves providing a username, email address, or phone number, as well as a password. In addition, they may request name, address, and other personal information.

As for collecting information:

Privacy | Apple Developer Documentation

Privacy is paramount: it’s critical to be transparent about the privacy-related data and resources you require and essential to protect the data people allow you to access.

developer.apple.com

However, indeed, this level of transparency hasn’t always existed. I cannot recall all the stages of Apple’s privacy evolution, but here’s one:

Why Apple’s new privacy feature is such a big deal

A guide to Apple’s new privacy feature.

www.theverge.com

Mentioned twice now:


\/

How to Find your Mac, iPhone, and iPad’s UUID

Your Mac, iPhone, and iPad all have unique ways of identifying them. If a developer asks for your UUID, here's how to find it.

www.howtogeek.com

so you're saying i would manually have to input that info like giving email to make an account, or give them my phone number manually etc, iOS wouldnt just hand over?

 

[MacCheetah3]

so you're saying i would manually have to input that info like giving email to make an account, or give them my phone number manually etc, iOS wouldnt just hand over?

I’m saying there are means of acquiring personal information other than requesting permissions to Contacts, for example. With the two apps you mentioned… I haven’t played COD mobile and don’t know if they require an Activision account or just strongly recommends. For Duolingo, you need an account of some kind, which could be signing in via other platforms, such as Facebook or Google — and even those third-party logins share some details.

 

[kofman13]

I’m saying there are means of acquiring personal information other than requesting permissions to Contacts, for example. With the two apps you mentioned… I haven’t played COD mobile and don’t know if they require an Activision account or just strongly recommends. For Duolingo, you need an account of some kind, which could be signing in via other platforms, such as Facebook or Google — and even those third-party logins share some details.

its so crazy that everywhere ive posted this question today the answers are 50/50 opposites of each other. some people say you would have to input it manually or consent, the other half of commenters say iOS automatically hands it over when you install the app

 

[MacCheetah3]

the other half of commenters say iOS automatically hands it over when you install the app

Maybe with early iOS versions (e.g., < iOS 10). I wasn’t in software development back then nor have I tried any unethical, illegal, or otherwise nefarious activities.

 

[contacos]

There r also a lot of 3rd party SDKs that can be added to a 3rd party app like our app at work shows the iOS version, wifi or mobile data, what phone provider, even random things like if u used the app in portrait or landscape mode last time u opened it, if Bluetooth is enabled or how many times user x taps where inside the app and if you check out on location, I could technically even see where you did x or y based on your customer id like knowing u always go to location y, I can target you with push notifications for that particular location

 

[960design]

For instance, personal info linked to my identity "that may be collected" by apps. If i look at a game like Call of Duty mobile, it lists Email address.
If i look at Duolingo, it lists Coarse location, email address, Name, phone number.
Some other apps list all of the above plus more like financial information.payment information.

If I am not literally giving these apps any of this info like typing it in, how would they get my email address, phone number, name, or location... does iOS just automatically grant it to the app?

Native apps have access to core iPhone features. When installing the app you should get a notification for location services, ect.

Fun Fact: Apple does not verify App developers claims. App developer self report the data collected.

 

[Vlad Soare]

So, the answer to the original question seems to be that apps can interrogate iOS and retrieve such information from it. Now, if iOS actually provides this kind of information or not when interrogated, depends on various criteria, among which the permissions you give to each app. But if the permissions are granted, then the actual information comes from iOS itself, via its SDK.
Is this correct?

 

[Rkuda]

its so crazy that everywhere ive posted this question today the answers are 50/50 opposites of each other. some people say you would have to input it manually or consent, the other half of commenters say iOS automatically hands it over when you install the app

I think because it's actually a fairly complex question and different people might consider different information to be personal data.

One recent developer restriction would be the device name, up to iOS 15 a developer could request the Device name and get back something like "kofman13's iPhone 13 Pro" From iOS 16 the developer will only get back a generic "iPhone".

A developer can get the device name, but it must be to display it for the user and cannot in any way be used for tracking users. The developer must request and receive permission from Apple to get this feature.

I'm not sure if users would also be prompted.

com.apple.developer.device-information.user-assigned-device-name | Apple Developer Documentation

The entitlement for accessing the user-assigned device name instead of a generic device name.

developer.apple.com

Personal data that an app should not ever be able to get without you granting permission would include things like:
- Contacts
- Camera
- Microphone
- Precise location data from CoreLocation framework


On the other hand things like your email address could be captured by their sign-up form in the app, or on their webpage, or directly from a 3rd party like google if you use "Sign in with Google".

And of course rough location data is the easiest to get as any request to their server would have your device IP address.