Part of the ongoing Big Tech's War on Users series.
We all know the basic deal by now. Meta wants your data to sell ads. Google wants your data to sell ads. A dozen other companies you've never heard of want your data to sell to the people selling ads. And we know Apple tried to draw a line with App Tracking Transparency — the prompt that asks whether an app is allowed to track you across other apps and websites. It matters. It caused genuine chaos for the mobile ad industry when it launched. Meta's own CFO estimated ATT would cost the company around $10 billion in ad revenue in 2022 — which is at least somewhat satisfying.
And then we watched the workarounds appear. The most infamous was the Meta Pixel — a tracking script embedded on third-party websites that operated at the browser level, completely outside ATT's scope. Because ATT governs app-to-app tracking, not what happens when you open a web browser. The Markup found it running on 33 of the top 100 hospitals in the country — collecting patients' appointment details, prescriptions, health conditions, and sending them to Meta. Inside password-protected patient portals. While people thought they were safely on a medical website. Hospitals, of all places.
That's the gap that keeps getting found. The thing you thought was covered that quietly isn't.
A project called Loupe, from the team at Mysk Research, is a pretty blunt illustration of how wide that gap actually is on the device itself. It's a free, open-source iOS app that reads values from public iOS APIs — the same APIs any third-party app you install can call — and shows them to you raw. No special access. No exploits. Nothing that shouldn't be there. Just what's sitting there, available, waiting.
What Loupe shows you is organized into three tiers.
The first tier is passive signals — data any app can read without asking you for anything, ever. Your locale. Your timezone. Your screen dimensions. Battery level. Device model type. Supported audio formats. Keyboard layouts. None of those feel sensitive in isolation. They're not. But that's kind of the point, and I'll come back to it.
The second tier is permission-gated signals — things that require iOS to prompt you first. Contacts, photos, location, calendar. You've seen those prompts. You've probably gotten reasonably good at reading them. This is the tier ATT lives in. The tier you've been trained to manage.
The third tier is where it gets genuinely unsettling. Loupe calls these advanced signals — not exploits, not bugs, not anything Apple could call a breach. Just public APIs used sideways in ways nobody bothered to close off.
Take canOpenURL. It's a legitimate API. It exists so an app can check whether another app is installed before trying to hand off to it — useful if you want to offer "Open in Spotify" only when Spotify is actually on the device. Totally reasonable feature. Someone noticed, though, that if you methodically probe a long list of known app URL schemes, you can build a map of what's installed on this device without ever asking for permission. Your banking apps. Your health apps. Your dating apps. Your political news apps. The crypto wallet you downloaded once. The therapy platform you use. All of it, inferred from a feature Apple built to make app handoffs smoother. Apple did cap it at 50 schemes per app back in iOS 9 — you have to declare which ones you intend to probe. But 50 is a lot of questions. And the list of apps on someone's phone turns out to be a surprisingly detailed portrait of who they are.
The Keychain one is worse. The iOS Keychain is designed to store credentials securely — passwords, tokens, that sort of thing — and by default, those items persist even when you delete the app that stored them. An app that wants to track your device can store a unique identifier in the Keychain on first launch. You delete the app six months later because you're cleaning up your home screen. You reinstall it. The identifier is still there. The app already knows who you are before you've done a single thing. You didn't grant a permission. You didn't tap "allow." You thought uninstalling was starting fresh. It wasn't. There's no simple "delete on uninstall" flag an app can set — persistence is just the default behavior of the system, and it works in the tracker's favor without anyone having to do anything unusual.
That's the part worth sitting with. This isn't someone breaking the rules. This is someone reading the rules carefully and noticing what they don't say.
What Loupe's Highlights view does is pull back from the individual signals and show you the assembled picture — and that's where this stops being a technical curiosity and starts being a little hard to look away from.
The EFF's Cover Your Tracks project has been demonstrating this for browsers for years: you don't need any single unique identifier to track someone. You just need enough ordinary ones stacked together. Browser fingerprint research has consistently found that over 80% of browsers carry a fingerprint unique enough to track without any cookies at all — just from the combination of fonts, screen resolution, timezone, installed plugins, and rendering behavior. Nothing that should be identifying on its own. Identifying together.
On a phone it's more concentrated. Device model plus exact OS version. Screen scale factor, which varies by generation. Timezone and locale combination. Battery capacity, which drifts as the battery ages and is at least somewhat specific to your unit. The specific pattern of which apps responded to URL scheme probes. A Keychain identifier if one was planted. None of those is your name. None of them is your email address. None of them individually tells anyone anything useful. Together, they are functionally a unique ID for your device — one that doesn't expire, doesn't get blocked by ATT, doesn't get cleared when you wipe your cookies, and doesn't go away when you delete the app. It's not a real ID in the sense Apple assigns one. It behaves like one in every way that matters to someone building a tracking profile.
That's what the Highlights view shows you. Your phone, rendering its own fingerprint in real time.
Now here's the part I want to be clear about, because this isn't an Apple post. I've written about Apple's privacy promises and where they hold up and where they don't and will probably write about it again. But Loupe isn't exposing an Apple-specific failure. It's exposing a fingerprinting ecosystem that exists on every platform — and on Android, without deliberate hardening, it's arguably worse.
Android's hardware fragmentation is actually a fingerprinting gift. Because there are so many manufacturers, screen sizes, chipsets, and OEM software layers, the combination of device properties that passive APIs expose tends to be far more unique per device than on iOS, where Apple controls the hardware stack. Google has its own advertising ID system — the Google Advertising ID — which historically wasn't gated behind any meaningful consent prompt until recent Android versions started pushing things in the right direction. Google Play Services itself is baked into the OS at a level that's difficult to characterize as anything other than a data collection layer with a phone attached. And many OEM Android builds — Samsung, and most others — add their own telemetry on top of whatever Google is already collecting. If you pick up a stock Android device and just use it, you're not getting less of this. You're probably getting more.
The difference is marketing. Apple built a brand on "Privacy. That's iPhone." and trained a generation of users to believe the problem is mostly managed. It's a good billboard. It's not a complete picture, as Loupe makes visible in about thirty seconds.
This is fundamentally an ad-tech ecosystem problem. The industry built an infrastructure that runs on device intelligence, baked it into both platforms, and both platforms have varying and inconsistent levels of interest in actually closing it off — because both platforms benefit from it in different ways. Apple uses privacy as a competitive differentiator and a stick to hit competitors with, but it still runs an advertising business. Google's entire model depends on it. Meta spent years building workarounds for the cases where it couldn't get direct access. The ecosystem is the product.
Loupe just holds up a mirror. The useful thing about a mirror is it doesn't care which platform you prefer.
If you want to actually poke at this yourself, Loupe is free on the App Store and the source is on GitHub if you want to see exactly what it's reading and how. Worth an hour. Seeing the raw values on your own device hits differently than reading a list of them.