Is device fingerprinting allowed for fraud detection purposes?

Apple recently announced some features to make device fingerprinting more difficult on their devices. The use of certain APIs that facilitate device fingerprinting will require justification. This technique is frequently used to prevent fraud and abuse in applications. For example, a device used to create and access multiple fake accounts to engage in fraudulent activities should be able to be identified and blocked. In the documentation on 'User privacy and data use', use cases related to fraud detection are not considered 'tracking' and are allowed. However it is not clear wether or not what applies to tracking can also be applied to fingerprinting. According to Apple's policies, is it possible to use device fingerprinting for fraud detection purposes?

Post not yet marked as solved Up vote post of pedh77 Down vote post of pedh77
1.8k views
Posted by
pedh77
Reply
Add a Comment

Replies

is it possible to use device fingerprinting for fraud detection purposes?

The new "reason required" API rules do not include fraud detection as a permitted reason.

I think Apple's advice would be to use identifierForVendor and/or Device Check / App Attest.

For example, a device used to create and access multiple fake accounts to engage in fraudulent activities should be able to be identified and blocked.

If they don't delete and re-install the app between each fake user, you can detect that with identifierForVendor and/or just creating your own random token in the filesystem. If they do delete and re-install the app for each fake user, I think App Attest's Risk Metric may detect that.

Posted by
endecotp
Up vote reply of endecotp Down vote reply of endecotp
Add a Comment

If they do delete and re-install the app for each fake user

DCDevice can detect that. See Accessing and Modifying Per-Device Data.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Follow-up question!

This webpage has a section on "Regulated Financial Services Disclosure": https://developer.apple.com/app-store/app-privacy-details/#regulated-disclosure

I work on a regulated financial app, and we do use some API calls that would be affected by the new Disclosure rules - and these calls are used by us exclusively to assist our fraud-prevention efforts. I believe I can tick all four bullet points in that section.

Will there be a process to apply for exemption? None of the NSPrivacyAccessedAPITypeReasons are correct for our use case, and the nature of our fraud-prevention models requires that some "derived information" is sent off device.

Matthew

Posted by
mkflint
Up vote reply of mkflint Down vote reply of mkflint
Add a Comment