This is the first in a series of articles that will explore potential privacy vulnerabilities in Apple devices. In this specific article, we present a technique for detecting an Apple ID region without permissions, utilizing Smart App Banners. The demo is available for iPhone and iPad, and the source code is available on Github. Stay tuned for Part 2, which will continue our exploration on this topic.
*DISCLAIMER: Fingerprint as a company does not use this technique in our products and we do not provide cross-site tracking services. We focus on detecting and preventing fraud in addition to supporting modern privacy trends for removing third-party tracking entirely. We believe there should be open discussions about such techniques to help internet browser providers fix them quickly.*
What is the Apple ID region?
Apple ID region, also known as App Store region, is a setting associated with a user's Apple ID account. It determines which country's content and services they have access to on the App Store, iTunes Store, and other Apple services. Typically, the region setting is defined by the billing address associated with the user's Apple ID, which is often linked to their credit or debit card country or their registered address.
The Apple ID region affects various aspects of the user experience, such as:
- App Availability: Some apps or app features may only be available in specific regions due to licensing restrictions, regional regulations, or the developer's target market.
- Content and Pricing: The region setting may also influence the pricing and currency of apps, movies, books, and other digital content available on the App Store and iTunes Store. It can also impact the availability of region-specific content like local news, television shows, or movies.
- Services: Certain Apple services, such as Apple Pay or Apple News, may only be available in specific regions.
To change the Apple ID region, users can go to their account settings and update the country or region associated with their Apple ID. However, they may need to cancel certain subscriptions or spend their remaining store credit before making the change. Once the region is updated, the user will have access to the content and services available in the new region.
What are Smart app banners?
Apple introduced Smart App Banners with iOS 6 to help developers promote their native applications on the web. These banners appear at the top of a webpage when viewed on an iOS device, displaying information about the application and providing a direct link to the App Store for easy installation. They are designed to enhance the user experience and help developers drive more traffic to their iOS applications.
Narrowing down Apple ID region: a binary search approach
If the application is not available in your set Apple ID region or country, a Smart App Banner for a region-restricted iOS application will not be shown in a browser. Attackers can pinpoint a user's exact country by performing a binary search over the 175 available regions in the App Store.
Take a region-specific iOS application such as Starbucks France for example. These applications create a unique opportunity for attackers to leverage Smart App Banners to identify a user's Apple ID region.
In order to implement the binary search technique we will enumerate applications’ smart app banners. For the maximum efficiency, each application should be available in evenly distributed groups of countries. This will allow an attacker to slice the available options roughly in half on each step. Considering the initial list of possible countries is X (175 countries), here are the steps:
- Insert a smart app banner of an iOS application, that is available in Y countries, into the HTML code and detect the presence of the banner with VisualViewport browser API.
- If the banner is shown, reduce the search scope to Y. If not, reduce the search scope to countries from X, which are not presented in Y.
- Repeat steps 1-2 to narrow down the list of possible countries to a single one, which will represent the user's Apple ID region.
The demo is available for iPhone and iPad, and the source code is available on Github.
Conclusion
Leakage of Apple ID region information can pose a threat to user privacy and contribute to fingerprinting techniques that enable third parties to track and identify users across different online platforms. Additionally, this information remains constant across various networks and VPN usage.