top | item 39635616

(no title)

Hey I can shed light on this. It’s the iCloud keychain. Disabling the keychain doesn’t delete existing entries. There is no way to modify the keychain on iOS (you can on Mac). Lots of apps store sign on data in the keychain for obvious reasons.

It would be really great to have a keychain section in iOS’s settings, like Keychain Access on Mac. The dev can build in-app functionality to delete keys from the keychain, but there’s not a huge incentive to.

Keychain storage doesn’t let FB track you, just store sign on info, keys, and the like. It’s not able to execute arbitrary code, it’s an encrypted place to store login info that Apple syncs between your devices.

Use them via Safari if you don’t want this (then your logins are saved & synced in Safaris keychain.)

discuss

discostrings|2 years ago

It's not specific to iCloud Keychain--it applies to on-device Keychain on iOS devices, too, even if you don't use iCloud. Any developer can store data there with no way for the user to know or see what it's saving, and it's shared among all apps from the same developer. Keychain is quite a misnomer here--it's really "store any (short) data you want on a user's device without them ever being able to see or remove it". It transfers when you restore backups on new devices, too, even if you haven't had the developer's apps installed in the last decade.

This is an issue because if you ever use an app by a company, uninstall all their apps, and then install one of the developer's apps years later, they can tell it's the same iOS profile (even restored on a different device), profile what you do across those apps/installs/decades, and associate any accounts you log in with. Essentially they can put a permanent cookie that you can't even see on your iOS profile that's shared between their apps. If you use iCloud Keychain, they can probably profile you across all your devices regardless of whether you reset one.

Apple has said this isn't intended functionality and they were going to address the issue many years ago in iOS 10.3 by removing Keychain data when the last app from a developer was uninstalled [1], but they got cold feet. If I recall correctly, the reason was that some app developers were relying on this unintended functionality to ensure free trials couldn't be used more than once. Apple was going to introduce a service that could store only 2 bits of data to enable that use case and then revisit Keychain deletion when the last app from a developer is uninstalled, but it appears they haven't.

It would be great if they'd finally fix this.

[1] https://developer.apple.com/forums/thread/72271

miki123211|2 years ago

This is also used heavily for abuse / spam / fraud prevention.

If you detect that a user is abusing your service, the ability to put a permanent cookie on their device is very useful.

This isn't effective against organized crime groups (they can just get Macs / use the web / whatever), but works well against your average troll or internet racist.

Still tracking, but a very different kind of tracking.

alexsereno|2 years ago

You’re right, I could have specified that even if you don’t use iCloud you have a keychain on iOS

lxgr|2 years ago

> Keychain storage doesn’t let FB track you

It sure lets app developers identify me across app deletions and reinstalls!

I'm also not sure why Apple has kept this loophole open for so long when they are otherwise so focused on making sure user tracking across reinstalls is so hard (e.g. by making APNs tokens change after a reinstall, which used to not be the case as well, restricting access to read the device MAC address and other permanent identifiers etc).

gruez|2 years ago

You can theoretically do that, but that's against app store regulations. I'd imagine that logging out first, then deleting the app, should prevent the behavior because afterwards there's very little reason to have any sort of lingering keychain data. But at the end of the day, it's basically an honor system.

threeseed|2 years ago

You can add/delete entries in the iOS keychain from the Passwords section.

And I am looking at my iPhone now and Meta does not store tracking data in the Keychain.

alexsereno|2 years ago

You certainly can not, here's some more info. Passwords and the keychain are separate items.

https://apple.stackexchange.com/questions/441112/how-can-i-r...

Razengan|2 years ago

> Keychain storage doesn’t let FB track you

Are you serious? They literally know my previous accounts even after I DELETE the app, WIPE the iPhone, and login to the same iCloud account on ANOTHER iPhone.

They do this by storing some data. They can store data about anything else. How can be sure if we can't even LOOK at that data?

I only caught this because of the visible symptoms they CHOSE to show us: The list of previous logins.