-1

I am new in mobile development. I'm designing the architecture of the application that has to support sharing of geolocation data of the users with other users who use that data for the tracking. However, I would like to give users firm assurances of what and with whom they share and full control over their data. I found it very useful to use the data collected by Apple and shared with App Privacy report as independent source of reliable information to keep users informed about the data my app collects. However I didn't find in documentation the way to integrate that data into my app. Did I miss something?

Thank you so much for your replies!

Tommy Lee
  • 1
  • 2
  • Despite leaving an answer, I'm voting to close this. This belongs on the software engineering stack exchange, not here. – Gabe Sechan May 16 '22 at 22:42
  • 1
    Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. – Community May 17 '22 at 05:27
  • I found the feature that Apple introduced last autumn - App privacy report. All in all it's what I'm looking for. – Tommy Lee May 22 '22 at 21:35

1 Answers1

0

I think its rather pointless. As a user, I use your app. Your app has my location data. At that point, I either trust you or I don't. If I trust you, this is overly complicating things with no gain. If I don't, as a user this means nothing to me- there's nothing to stop you from uploading it to your server anyway. Not to mention that the average user is just not technically competent enough for this to mean anything anyway.

And on a technical level- its garbage anyway. For the data to be shared, you either need a direct IP level connection (impossible on cell, everyything is NATed to death) or you need a server to communicate the data to the opposite end. Which means my data is still going through your server. So once again- I either trust you, or I don't.

The problem is you're trying to solve a social issue (trust and the existence of bad actors) with a technical solution and that rarely works. It makes good actors jump through hoops and overly complicate stuff, and bad actors will ignore or workaround this anyway (it would be trivial to do this to claim you did it, then just send the data to your server in a separate call).

Gabe Sechan
  • 90,003
  • 9
  • 87
  • 127
  • With CloudKit you as a developer don't have access to the user's private data at all. The app can have access to your locations but it doesn't mean that I can see them, save etc. – Tommy Lee May 17 '22 at 01:57
  • You're an app on the user's phone. You can just call the GPS subsystem and get the location. You can then send it anywhere. It doesn't matter what technology you claim you're using, you can always 1) Be lying and 2) Also be using something else. I either trust you or I don't. It's not a problem that can be solved by technical means, because you can always work around the restrictions your own code is putting on you – Gabe Sechan May 17 '22 at 02:11
  • So the point is that if the user granted the app an access to his locations then the developer can retrieve that data even without letting the user know about. And the user barely can discover that since he doesn't see the source code. Is that what you are saying? – Tommy Lee May 17 '22 at 02:44
  • Yes. And the average user wouldn't be able to tell even with source code, unless they have the skill level and time to fully audit it. And even then- it depends on the server as well, and being sure the server does what you say it does, so you'd need the server code, as well as a way to assure the server code is the version you say it is (you'd need that for the client as well, but I'm assuming you're about to say open source that would fix that if they built from source). – Gabe Sechan May 17 '22 at 02:57
  • Basically- if I give you internet permission and location permission, as a user, I have to assume that my data is being stored, because it's impossible to be sure it isn't. I have to be ok with that, or not use the app. – Gabe Sechan May 17 '22 at 02:58
  • No, it's sometimes possible to solve trust problem with technical means. Blockchain is an example. As for the question I have, I found that Apple actually has the feature named App privacy report. It provides exactly the data I would like to let my users know. – Tommy Lee May 22 '22 at 21:39
  • @TommyLee No, it isn't. And blockchain isn't an example that helps your argument, as cryptocurrency is a giant scam. No report from Apple is going to fix the problem that in the end I have no proof you aren't sending it through a side channel. It also requires me to trust Apple, which... I don't. Short of auditing the code as it was built for each version, that's impossible to prove. (Please note this isn't a personal attack, this is generic for any random app. If I give an app my location data, I assume its compromised. Anything else is an idiotic mistake on the user's part). – Gabe Sechan May 23 '22 at 03:58
  • @TommyLee That isn't to say don't use CloudKit if its a good solution for what you need. I have no opinion on the technology and don't know enough about your usecases to opine there. But your use of it does not, can not, and will not prove that you aren't accessing my data. It provides no benefit there any more than you saying "I promise I won't" does. – Gabe Sechan May 23 '22 at 04:06