The Washington PostDemocracy Dies in Darkness

How to read and understand Apple’s new iOS App Privacy Report

Apple’s latest privacy feature in iOS 15.2 adds transparency but little explanation about what you can do about data sharing

(Apple/iStock/Washington Post Illustration)

A new Apple privacy feature is here, and it’s meant to shed light on what all your apps are really up to in the background of your iPhone or iPad.

As advertised, this new page nestled in Settings does share previously obscure details, but making heads or tails of what it means is tricky.

The App Privacy Report, released on Monday as part of a software update, is the latest in a line of similar features from the company, which has made privacy a cornerstone of its marketing strategy. With this update, the company has added more transparency, like a list of all the domain names a third-party weather app contacted when you checked for rain or how many times a social media app accessed your microphone. However, the report is short on actionable advice and has a level of technical detail that is more than most people will be able to parse.

There are some immediate actions you can take to protect your privacy though based on the report’s findings. We’ll walk you through how to turn on the report, what the sections mean, what you can do about it and why it doesn’t tell the entire story of your device’s secret life.

Apple iOS privacy settings to change now

How to get the App Privacy Report on your device

To even see this new setting, first you’ll have to make sure your iPhone or iPad is updated to the latest version of the Apple mobile operating system, iOS 15.2. Go to Settings → General → Software Update and tap Download and Install.

The Privacy Report is opt-in, meaning you have to turn it on and give your device permission to start collecting the data it needs to generate the report. The data is only saved on your device, not collected by Apple. Go to Settings → Privacy → App Privacy Report (you’ll need to scroll to the very bottom of the page to find it) and tap Turn on App Privacy Report. The feature will collect data immediately and show it in real time, but to make sure it has a bit to go on wait a few hours or a day before checking back. It records up to seven days of activity.

What is the report doing and why?

Once it’s turned on, the Privacy Report tracks the activity of individual apps and websites, then breaks it into sections so you can click through and see additional details, then even more details. The report is an attempt to give users more information so they can make decisions about things like what settings they have on and what apps they install or use.

“A user’s data belongs to them, and they should get to decide whether to share it and with whom. App Privacy Report gives users new insights into the behavior of apps on their device, and is a good complement to apps’ Privacy Nutrition Labels. It helps users make well-informed choices about the apps they use, how they use them and their privacy settings,” said Erik Neuenschwander, Apple’s head of user privacy.

It’s not the first time the company has attempted to beef up privacy by simply sharing more information. The app store’s “nutrition labels,” which launched at the end of last year in the App Store, say what different third-party apps are accessing. However, because much of the information is self-reported, our reporting found it was not always accurate.

The App Privacy Report doesn’t have the same loopholes, but there are some things it still can’t tell us, like exactly what data is being collected or sent by these apps. For example, you might see that a dog-sitting app accessed your contacts but not know what it took (there are few limitations on what apps can pull from your contacts). Or you might notice that a plant-identification app contacted multiple outside domains, but not know what sort of data was sent to those addresses.

In the end, the report gives users some information they can act on, and a whole lot more they may not know what to do with.

“They are taking the medium to long term view that, essentially, if you name and shame enough of these then apps will gradually improve their behavior,” said Johnny Lin, the co-founder of San Francisco company Lockdown, which makes a tracker-blocking app. “It puts pressure on Apple’s competitors, like Facebook and Google. They’re forced to change a little bit, they’re forced to adapt.”

I checked Apple’s new privacy ‘nutrition labels.’ Many were false.

How to read the Data & Sensor Access section

The first section is the most useful. Called Data & Sensor Access, it tracks what device sensors and data types each app is accessing, then logs it with a time stamp. This includes access to things like your contacts, photos, location, camera, microphone and media library. The list is sorted by the most recent, so whichever app accessed one of these categories last is on top.

Say you just finished driving somewhere and Google Maps is in the list. Click once and you can see a list of every data type it used. Click on one of those, like location, and you can see a list of every time it accessed your device’s location and for how many minutes. Details will vary by app. Twitter might have accessed your photos when you tweeted a screenshot of something funny, and the Phone app may have used your microphone every time you made a call and contacts when you used your address book.

There are a few quirks in this section for the Apple apps. Unsurprisingly, the Contacts app accesses your Contacts constantly. You’ll notice multiple other Apple apps using Contacts, but the reasons vary. Many apps, like Apple Fitness, access your contacts to show your profile image and name inside the app, while Photos uses it for face-detection in your pictures. Safari might show that it’s contacting your media library, but the company says that’s left over from a previous feature and will be removed in a future update.

Lots of apps use your personal contacts. Few will tell you what they do with them.

What you can do about the apps accessing too much

Look for any apps accessing data like your contacts, location or microphone when they shouldn’t. A social media app might be regularly accessing your contacts, even though you only shared them once when you first set up that account. A smart-home or fitness app might be collecting your location in the background when that information is not needed for it to work properly.

Look for red flags and be extremely conservative about what you share. All of these categories are sensitive information to some degree, and you have no control over what happens to it once it is shared with a third party. Be particularly wary of smaller apps from companies you’ve never heard of, like an off-brand game you downloaded once, that are accessing anything of value.

Oddly, there is no way to make changes to these permissions from the App Privacy Report. You need to make a list of the offenders or fix them one by one. Hit the back arrow on the settings screen and get back to the main Privacy page. Here you’ll see a list of each of those same categories. Click on them and uncheck the button for any apps you don’t want using it to revoke access. (Gray means it is off, green means it is on.) Location Services has more detailed options, so you can let an app do things such as access your location never, only while using it or ask each time.

You can also delete any app that seems to be taking excessive amounts of data that it does not need, especially if it’s a company you’re not familiar with. That could be a sign that it’s spam.

What’s in the rest of the report?

The three bottom sections are all similar in that they’re telling you what domains — or website addresses — are being accessed from your phone or iPad. They’re also similar to each other in that the information has little context, except a small warning that a domain might be making a profile of your activity if too many sites or apps ping it.

The App Network Activity section shows you what domains individual apps contacted over the past week. Website Network Activity lists domains that webpages you visited contacted, whether you viewed them in Safari or another app. And Most Contacted domains is a list of domains ranked by the number of different sites and apps that contacted them.

What do the lists of domain names mean?

All these sections lead to lists of obscure domain names, so we’ll talk about them together. You might see that one app contacted more domains than another, or that one domain is used by almost all your apps, but when it comes to what’s too many or too shady, there is no easy answer.

“It’s going to be very difficult for users, for the common user, to know which of these connections are necessary and which are not necessary,” Lin said. “There are just so many domains and so much is subjective. What is too many domains?”

Domains will look like normal Web addresses, with dot-com or dot-net at the end, but most don’t actually lead anywhere and a number will show a 404 error. Additionally, because of constant acquisitions and purposefully confusing naming, it’s not always clear who actually owns a domain. (Doubleclick? Gstatic? Those are Google.) Apple is trying to label domains in the report so that the owner will appear clearly below the complicated URL, but so far most lack that clarity.

Many people will notice that Google domains make up many of their most contacted list. That’s because the company has multiple products that are used by apps and websites, from image hosting to ad tracking. Google Analytics is used by companies to find out who is visiting their sites and tracking their activities, and Google’s advertising network is used across the Internet to target ads. Other common names like Facebook and Adobe make regular appearances, along side even more names you’ve likely never heard of.

Look for apps contacting more outside domains than any other, or research commonly contacted domains that seem like they shouldn’t be needed for an app to function.

At a glance, it’s not clear what is an okay domain and what is suspicious. They can be used for a number of different tasks, including the basic functions of a site or app, analytics, advertising and marketing, attribution trackers (so an app knows where a referral came from), or more malicious tracking and data collection. If you’re curious, you can try looking up individual domains you see by doing an online search with the name in quotation marks, or doing a domain name search to see who owns it. If all else fails and you’re still curious, you can try emailing the app maker or website and asking.

That is, after all, the goal of Apple’s report. Pressuring companies to be more transparent about what they collect and, possibly, give users more control.

Help Desk: Making tech work for you

Help Desk is a destination built for readers looking to better understand and take control of the technology used in everyday life.

Take control: Sign up for The Tech Friend newsletter to get straight talk and advice on how to make your tech a force for good.

Tech tips for make your life easier: 10 tips and tricks to customize iOS 16 | 5 tips to make your gadget batteries last longer | How to get back control of a hacked social media account | How to avoid falling for and spreading misinformation online

Data and Privacy: A guide to every privacy setting you should change now. We have gone through the settings for the most popular (and problematic) services to give you recommendations. Google | Amazon | Facebook | Venmo | Apple | Android

Ask a question: Send the Help Desk your personal technology questions.