Demystifying iOS Device Fingerprinting with Loupe

Apple heavily markets iOS as a fortress of privacy, leading consumers to believe their devices are locked down by default. Yet, any native app running on an iPhone or iPad can quietly assemble a highly unique device fingerprint without requesting a single user permission. By querying standard, public APIs, third-party apps can bypass traditional sandbox boundaries to identify and track users across the web.

To expose this reality, security research firm Mysk released Loupe, a free, open-source iOS and iPadOS application. Loupe is not a real-time spy detector that monitors other apps on your device. Instead, it acts as a diagnostic mirror, querying the same public APIs available to any developer and displaying the raw, unhashed values. For mobile developers, Loupe provides a critical look at the device fingerprinting surface, illustrating how seemingly harmless device configurations can be aggregated into a persistent tracking vector.

The Three Tiers of iOS Data Exposure

Loupe categorizes the data points accessible to iOS applications into three distinct tiers, based on the barriers to entry and the mechanisms required to access them.

1. Passive Signals (Zero Prompts Required)

These are values that any app can read immediately upon launch without triggering an iOS permission dialog. Individually, these details appear mundane, but collectively they provide high-entropy data points for fingerprinting algorithms:

• Locale and Region Settings: Preferred languages, calendar formats, and regional settings.
• Hardware and System State: Screen dimensions, graphics capabilities, storage capacity, and battery level.
• Temporal Data: The current time zone and system uptime.

2. Explicit Permissions

This tier covers data protected by standard iOS system prompts. While Apple's permission model successfully gates direct access to these data silos, Loupe highlights how apps can still extract side-channel metadata. For example, in version 1.0.1, the app updated its photo handling so that it explicitly asks for permission before looking up place names for photo locations, illustrating how location metadata can leak through media access.

3. Advanced Side-Channels

This tier represents the most concerning vector for developers and privacy advocates. It utilizes clever, non-obvious implementations of public APIs to extract identifying information:

• URL-Scheme Probing: By calling canOpenURL(_:), an app can test a list of custom URL schemes to determine which popular third-party apps (such as Steam) are installed on the device.
• Accessory Metadata: Reading the name of a paired Bluetooth or external accessory, which frequently contains the user's actual name (e.g., "John's AirPods").
• Lifecycle Timestamps: Querying the exact second the device was first set up or last erased.
• Keychain Persistence: Writing an identifier to the iOS Keychain that survives app deletion and reinstall, effectively acting as a permanent cookie.

The Developer's Dilemma: Fingerprinting vs. Utility

For software engineers, the APIs exposed by Loupe present a difficult architectural and ethical challenge. Most of these public APIs were not designed for tracking; they exist to support core application features. A developer needs to know screen dimensions to render a responsive UI, locale settings to format currencies, and battery status to pause resource-intensive background tasks.

However, when these signals are combined, they form a highly unique fingerprint. If an app transmits these raw values to a third-party analytics SDK or a mobile measurement partner (MMP), the user's anonymity is effectively compromised.

Advertisement

Serverless Inference by DigitalOcean 55+ models, every modality. One API key, one bill.

Apple has attempted to mitigate this by introducing privacy manifests, requiring developers to declare their reasons for using specific "declared-API" categories (such as system boot time or disk space APIs). Yet, as Loupe demonstrates, the surface area remains vast. Developers must actively audit their dependency trees. A closed-source advertising or analytics SDK integrated into your app could easily be querying these passive APIs and exfiltrating fingerprinting data without your explicit knowledge, potentially putting your app in violation of App Store guidelines.

Under the Hood: Building and Auditing Loupe

Loupe is written almost entirely in Swift (98.7%), with a small amount of Ruby (1.3%) used for automation. Interestingly, the Mysk team notes that the application was built almost entirely using AI coding tools.

For developers interested in auditing how these APIs are called, the source code is available under the MIT License (though the Loupe name, logo, and design assets remain copyrighted).

To build and run the project locally, you will need Xcode 26 or newer. The project leverages Xcode's buildable folders (folder references), meaning any new Swift files added to the directory structure are automatically resolved without manual project file modifications.

To compile the app on your own machine or run it on a physical device, follow these steps:

1. Clone the repository and navigate to the root directory.
2. Copy the local configuration template:

cp code/Config/Signing.local.xcconfig.example code/Config/Signing.local.xcconfig

3. Open code/Config/Signing.local.xcconfig and populate it with your Apple Developer Team ID and custom bundle identifiers:

DEVELOPMENT_TEAM = YOUR_TEAM_ID
PRODUCT_BUNDLE_IDENTIFIER = com.yourdomain.loupe

4. Open code/Loupe.xcodeproj in Xcode, select your target device, and build.

Because the Signing.local.xcconfig file is explicitly gitignored, you can safely manage your local signing credentials without risk of committing them to a public fork.

The Verdict: A Necessary Diagnostic Tool

Loupe is a highly functional utility that shifts the mobile privacy conversation from abstract policy debates to concrete API audits. It proves that "privacy by design" cannot rely solely on operating system constraints.

For iOS developers, Loupe should not merely be viewed as a consumer novelty. It is a valuable diagnostic tool to run alongside your development builds. By understanding exactly what your app—and its third-party dependencies—can see, you can make informed decisions about data minimization, replace invasive SDKs, and ensure your software respects the boundaries your users expect.