Apple’s Take on Data Privacy

Apple's new Vision Pro VR headset was the big news at this year’s Worldwide Developers Conference. The headset demonstrates how important Apple feels augmented reality market is to its future. 

But Apple's future also rests on how it manages its device ecosystem for data privacy.    

In a blog post, Apple announced two features -- privacy manifests and software development kit (SDK) signatures --on the same day that Vision Pro premiered. The introduction marked Apple’s evolving digital privacy strategy for its products, a result of its perennial market position in personal computing and smartphone. IT managers involved in app development within their organizations should take note. The move signals an integrity toward data usage that developer vendors must meet, eliminating those vendors whose apps mishandle consumer privacy.

Apple’s Evolution on Privacy

One feature, privacy manifests, consists of files that detail the privacy practices of all third-party SDKs utilized in an app. The practices are presented in a standardized format and are created in Xcode, the Apple-brand integrated development environment software (IDE).  Xcode can also combine privacy manifests into a single report when an app is prepared for distribution.

Privacy manifests act as an information label, allowing developers to better understand how third-party SDKs use app data and relaying that understanding to other stakeholders.The second feature is SDK signatures.SDK signatures are added from within Xcode to verify that the new version of an SDK was signed by the original developer. The signature ensures that SDK-supplied code is not a fraud copy in support of a scam attempt.

Both features address SDK management. SDKs are programming tools to build software for an operating system or a programming language that supports a given device or software. The kits simplify integration of programmatic functions and services into the software, letting developers streamline development with basic building blocks and debugging tools. Because developers can inadvertently incorporate a third-party SDK containing malware that captures user data, Apple developed these features to highlight where data privacy compliance can be compromised within a developers’ multi-faceted workflow.

Apple has always had a solid reputation among tech-enthusiasts, enticing developer and media professionals to buy Apple laptops, tables, and supporting software as soon as new versions are released. I have been an Apple laptop user since 2005.

But in expanding its reach beyond home computing, Apple has carved out a solid reputation among casual consumers for prioritizing user privacy, building on comments Steve Jobs made at the 2010 D8 conference regarding the meaning of privacy: “Privacy means people know what they are signing up for in plain English, and repeatedly.”

Since that time, Apple has incorporated Jobs’ perspective into its products so that identifying what specific data usage occurs is as straightforward as possible.  

What IT Managers Should Note From Apple’s Privacy Strategy

The simplicity-in-design approach that is an Apple hallmark has become critical as data usage has taken a brighter spotlight since the Jobs era. Most people think of Apps as tools for customers to complete a purchase task -- making a retail order to be picked up at a store, scheduling a doctor’s appointment, or making a flight reservation. But many Apps are also developed for workplace environments -- professionals are often developing apps to service their department needs.In either scenario, apps rely on third-party software development kits (SDKs) for creating the functionality to deliver these services.

Bad actors realize the emerging design reliance, working to mimic the appearance of corporate digital media, from fake emails to links to dummy user interfaces that contain company logos.  Many create zips files, emulating the files that typically carry SDK and programming updates. This puts a user at the risk of unwittingly downloading a bad program that gives access to user information.

IT teams are charged with helping corporate departments stay ahead of these security vulnerabilities. The defensive tactics vary, from performing due diligence to the employee training to spotting suspicious attempts through app software reflects. 

The WFH and BYOD trends over the years have challenged IT managers and teams to ensure that enterprises maintain consistent data privacy management across Apps and devices professional use daily. Paying attention to the synchronization of features offers some clues as to where privacy influences can occur. For example, Apple introduces fingerprint identification, called Touch ID, for security across its devices. The feature also works with third-party App access as well, giving users a consistent security experience.

Maintaining data privacy for business apps also highlights how user data is to be handled from the employees’ perspective. Employees are always interested in how their personal data is used once they have provided it. What happens to that data if an employee quits?When making deletion orpersonal data update requests, employees will want a confirmation that their requests have been executed. The delivered confirmation should be confidential and allow users to understand what personal data has been removed. In accordance with recent data privacy laws, such confirmation is essentially part of the dataflow for data subject requests (DSRs) and data subject access requests (DSARs).

Thus, IT management teams must be constantly vigilant with how employee information is processed in B2B apps.Being unaware opens a backdoor for malware, trojan horses, and other injection attempts to retrieve data. While most people think of consumer data when it comes to data breaches, companies run the risk of fines for compromising employee information. The hacking of a third-party app caused a data breach at Uber in 2016 that exposed the personal information of 57 million drivers and employees. Uber used the app to manage driver background checks. The US Department of Justice fined Uber $148 million for its role in the data breach. Uber suffered another breach last fall.

Some critics claim that Apple has too much of a dominant role over app availability, determining too arbitrarily to remove applications from the App Store. In 2017, developers criticized Apple for a policy that eliminated template no-code apps. The policy burdened small developers and businesses that relied on template apps for revenue but had no development resources to create and maintain a full app. Apple later adjusted the policy to ease restrictions.

IT managers whose companies host apps in a repository can learn from such challenges that tech companies like Apple’s face. When Apple reported that it blocked over 2 million fraudulent transactions from apps offered in its App Store, it also noted that it reduced the number of terminated developer accounts, from over 802,000 to 428,000 because of its App Store protocols. Many companies host apps to make them available across corporate locations.  But that convenience also means knowing when and where to weed out bad actors, too.

Both privacy manifests and SDK signatures are meant to ensure consistent data privacy is maintained in the apps sold in the Apple store. More privacy features are expected later this year.

Enterprising professionals will continue to turn to apps to accomplish their responsibilities, while seeking consistent control to how their data is used in an app. IT manager keeping up with device and platform changes like those from Apple will adjust policies to emphasize that consistency while minimizing privacy risks.  

What to Read Next:

Special Report: Privacy in the Data-Driven Enterprise

Will Your Company Be Fined in the New Data Privacy Landscape?

Former Uber CSO Sullivan on Engaging the Security Community