iOS stores application data after deletion and does not allow them to be erased

Apple is doing a lot to ensure the safety of its users, periodically introducing new security mechanisms in iOS, even if they contradict the market perception of doing business right. It’s just that the company has built such a model of interaction with the client, in which it practically does not depend on his data and, unlike others, can easily do without them. However, the collection and processing of user data is not always related to surveillance. True, when Apple begins to collect at least some information about us, we immediately take it with hostility. For example, as in the situation with automatic login to applications.

IOS 14 has a feature to automatically authenticate apps when reinstalling. True, Apple has not officially announced it

Reddit user blackmolecule found out that iOS retains app data even after deletion. Moreover, these are not some cache files, but authorization data, with the help of which the device can automatically enter the previously created account of the application in case of reinstallation.

The application itself enters the account

Apps are logged into your account, regardless of whether the password is stored in Keychain or not

According to blackmolecule, he discovered this iOS feature while reinstalling the 9gag app. The user downloaded the application to his device again after uninstalling and, opening it, found that it had automatically logged into his account without first asking for a password.

Obviously, this kind of data is stored somewhere in long-term memory, since only a full reset of the device to factory settings can get rid of it. Cookies work in a similar way in the browser, but in this case everything is much cooler, because the application remembers you and your device and continues to remember even after deletion. But I could not write about it without making sure that all this is true.

To test the words blackmolecule, I tried uninstalling several apps and reinstalling them. I wanted to make sure what he was talking about was true. I uninstalled the Twitter, Googds, More.tv, 1.1.1.1 and Instagram apps, however, none of them were able to auto-authenticate after reinstalling.

IOS security issues

Apple clearly needs to do something about it – in the interests of the users themselves.

Therefore, I specifically downloaded 9GAG, logged in, and then deleted it, not counting on anything. But what was my surprise when, after reinstalling, the application automatically entered my account, from which I logged in for the first time.

It turns out that there really are such applications that can save a kind of super-cookies on the device, by which they recognize it and are automatically authorized. This is a really serious security flaw for several reasons:

  • We do not know for sure where this data is stored and cannot delete it;
  • If the application recognizes the device on its own, it is likely that it can pass authorization data somewhere else;
  • If we sell a device without resetting it to factory settings, the new owner will be able to get into our account;
  • Thus, it is very convenient to track devices for any purpose, not necessarily advertising;
  • Automatic authorization regardless of the user’s will is, in principle, a rather dubious story.

Another thing is that all this is not a bug, but a kind of feature. Apple is not giving developers the ability to interact with the device’s unique identifier, but it should have given them some way to identify users. This can be needed in a wide variety of scenarios, but the simplest is to identify those who have already installed the application in case they try to get the install bonus again. Therefore, even if you change your phone number, mail and bank card, the applications recognize you and do not allow you to apply a discount or other promotion for new regions.

Obviously, the company simply did not foresee that the developers will use this mechanism in a different way than originally intended. As a result, because of the wrong actions of the creators of applications that incorrectly interact with the Keychain, we have what we have, putting ourselves and our data at risk. Therefore, I think it will be fair to demand that Apple implement special mechanisms in iOS that will allow detecting these “super-cookies”, deleting them and prohibiting automatic authorization.


Source: AppleInsider.ru — крупнейший сайт о iPhone, iPad, Mac в России by appleinsider.ru.

*The article has been translated based on the content of AppleInsider.ru — крупнейший сайт о iPhone, iPad, Mac в России by appleinsider.ru. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!