Is device fingerprinting allowed for fraud detection purposes?

Apple recently announced some features to make device fingerprinting more difficult on their devices. The use of certain APIs that facilitate device fingerprinting will require justification. This technique is frequently used to prevent fraud and abuse in applications. For example, a device used to create and access multiple fake accounts to engage in fraudulent activities should be able to be identified and blocked. In the documentation on 'User privacy and data use', use cases related to fraud detection are not considered 'tracking' and are allowed. However it is not clear wether or not what applies to tracking can also be applied to fingerprinting. According to Apple's policies, is it possible to use device fingerprinting for fraud detection purposes?

is it possible to use device fingerprinting for fraud detection purposes?

The new "reason required" API rules do not include fraud detection as a permitted reason.

I think Apple's advice would be to use identifierForVendor and/or Device Check / App Attest.

For example, a device used to create and access multiple fake accounts to engage in fraudulent activities should be able to be identified and blocked.

If they don't delete and re-install the app between each fake user, you can detect that with identifierForVendor and/or just creating your own random token in the filesystem. If they do delete and re-install the app for each fake user, I think App Attest's Risk Metric may detect that.

If they do delete and re-install the app for each fake user

DCDevice can detect that. See Accessing and Modifying Per-Device Data.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Follow-up question!

This webpage has a section on "Regulated Financial Services Disclosure": https://developer.apple.com/app-store/app-privacy-details/#regulated-disclosure

I work on a regulated financial app, and we do use some API calls that would be affected by the new Disclosure rules - and these calls are used by us exclusively to assist our fraud-prevention efforts. I believe I can tick all four bullet points in that section.

Will there be a process to apply for exemption? None of the NSPrivacyAccessedAPITypeReasons are correct for our use case, and the nature of our fraud-prevention models requires that some "derived information" is sent off device.

Matthew

Is device fingerprinting allowed for fraud detection purposes?
 
 
Q