A week or so ago, Apple announced a bunch of features for the App Store on iOS, including personalised recommendations based on your activity and usage of iOS. It turns out this includes a keylogger (taplogger?) in the App Store, which records every single tap you make, every single letter you enter, and a lot of other information. All of this information is unencrypted and sent to Apple.
Now Apple is putting the extensive identifiable analytics they collect in the App Store in action. They record every tap and there’s no way to turn it off.
They can even calculate your typing speed.
↫ Michael Tsai, quoting Mysk
The provided screenshots of the data collected are terrifying, especially because the data is unencrypted, sent to Apple, and fully tied to your user account. Apple clearly wants a slice of that big, juicy advertising pie, and they, too, are discovering that the easiest and best way to serve targeted ads is to collect as much data as they can about you. Of course, this is something the entire internet (but not OSNews!) and several megacorporations are built on by now, but Apple has been incredibly sanctimonious about how it supposedly actually cares about user privacy, making this keylogger yet another case of Apple’s hypocrisy on full display.
Of course, if you care about privacy, you’re entirely free to download your iOS applications from somewhere other than the App Store and install them yours…
Oh, wait.

I suppose this vindicates my decision to use my hand-me-down SIMless iPhone (i.e. eReader, Camera, portable media player, and Mobile Safari testing tool) with the stock apps rather than giving them personal information to create an iCloud account to gain access to the App Store.
(Probably also helps that I’ve kept it permanently in Airplane mode since an update to iOS… 15, I think it was, removed the ability to turn off AMBER alerts for SIMless phones… unintended consequences of “Ontario, Canada sends out all AMBER alerts province-wide, despite the province being half the size of Europe, even if it’s the middle of the night.”)
The article itself lacks evidence. As much as I dislike twitter being a primary source, people use it that way and this is where the evidence was given…
https://x.com/mysk_co/status/2064401062224879888
I’m not sure I’d call this a “keylogger” per say. It’s what happens with UIs that update results as you type. Apple sending it in the clear is weird, incompetent even. They will likely issue a fix that encrypts the traffic, but the data is still going to be sent to apple. Microsoft and google do the same thing, albeit encrypted. Go to google.com or youtube.com and every key initiates an HTTP request. Likewise the windows start menu does it too.
I for one don’t like this and prefer to hit enter when I am ready….but the reality is this so called “key logging” is now common practice with a lot of modern software.
Are there any online resrouces that prove that Apple are collecting unencrypted key stroke data in the ios appstore or this just an assumption? as it seems a rather potentially damaging and naive thing for Apple to do.
I am sure apple will spin it as a privacy feature
I just did some basic level anaylsis using a blend of pihole and apple’s own ‘App Privacy Report’ and when typing into the search field in the appstore on an ipad Air 4 running ios 26.5, the store reaches out to Apple via dns : ‘amp-api-search-edge.apps.apple.com’ which has SSL / HTTPS encryption.
Of course the appstore might be connecting to some other resource to upload keylog data but i personally didnt see this, maybe someone can add a packet capture via wireshark to show the tcp header containing the unencrypted text.
Garakei,
As far as I can tell the source is a twitter post (ugh). I posted another comment with the link but my comment is sitting in moderation status. The twitter post doesn’t provide much context at all but it does have a screen shot that allegedly shows the cleartext data being transmitted to apple.
You really need an inline trace to be sure. Maybe someone will get around to publishing a better analysis 🙂
Yes I later on saw the ‘analysis’ on the twitter post as well, but it looks more like a local file (on iphone or ipad) than one generated post transmission over a network, There are apparently two API calls (REST?) made by the Appstore app when typing and then submitting the search to apple over the internet, these are:
To get applications update: amp-api-edge.apps.apple.com
To be able to search applications: amp-api-search-edge.apps.apple.com
Both have SSL encryption, I’ll have to take the ‘plain text’ transmission with a pinch of salt until some clearer analysis is made public.
I think you read more into it than was written. Thom’s words were:
Nowhere in there does it say the data is sent to Apple unencrypted. Instead, it says the data is stored unencrypted, then sent to Apple. I don’t know what the technical details are, nor do I care since I don’t own any iOS devices, but one could argue that since the data is store unencrypted and the user can view it, then any malicious application could also get access to this data.
Additionally, if the data is sent as-is through an SSL tunnel, then a man-in-the-middle attack is possible since it’s just being sent as plain text. But even without this, it’s pretty sketchy to log every single key-stroke in a CSV-like file in a file that anyone can access.
The original post is just saying something along the lines, “hey look, this looks shady as hell.”
teco.sb
I confess I read it the same way that Garakei did. Thom isn’t really the source here. It comes directly from the article, which says this with no additional context.
The original twitter source doesn’t say anything about accounts or encryption at all. It never says the information is stored locally unencrypted nor does it say the information is transmitted unencrypted. I get the feeling the article’s author may have invented the claim without a source. Ultimately the information is so terse and lacking context that I think it deserves to loose credibility points until such time that more information is provided.
Even with poor evidence though, it seems plausible to me that apple’s app store is sending information to apple with every key. It may seem creepy, but that’s how interactive searching works. I think google’s app store does the same. TBH I’m more creeped out when windows does it because unlike an apple app store search that obviously goes to apple, Microsoft deliberately designed the start menu to transmit people’s local application and document searches to microsoft! This violates one’s natural expectation of privacy and I bet many users don’t realize that local searches on their windows computers are tattling to microsoft.
So I see the issue now as that the appstore search results are written to a file, presumably in plain text locally on the ios device where any other app could read the contents due to the file not being sandboxed in any way and make use of if it for some nefarious deed.
Seems like a legit security concern.
Thom Holwerda,
Do you ever look into what WP plugin is responsible for requiring us to click on a link at sendibt3.com when we log into osnews? I don’t know if you see this as an admin? But as a user I see it each time I login. IMHO this is not technically justified and the only reason for a WP plugin to be sending us to a third party domain is for that party to track us. Otherwise the 2fa link would send us directly back to osnews.com without involving a 3rd party website.
FWIW I don’t see this when I log in, I just get the normal WP login page and it redirects back to the page I logged in from (in this case, this discussion). I don’t have 2FA on my WordPress account though (and I probably should enable that), so it may be something on WordPress’ end that is sending you there.
The gist is something like “The more privacy/anti-tracking extensions you’ve got, the higher the odds each dice-roll at login will land the WordPress plugin on “Shady. Requires an additional e-mail verification step”, whether or not you’re using 2FA”.
(Which is annoying even without the version bump from a year or so ago when U2F/WebAuthn stopped working for browsers which don’t know what to do when handed one of those internal URLs exposed by Google Chrome/Chromium extensions.)
Morgan,
Yeah, that’s the way it used to be for me too but now it’s nearly 100% of the time I’m asked for additional verification. I routinely clear cookies though, so this might have an adverse effect on the heuristic being used.
ssokolow (Hey, OSNews, U2F/WebAuthn is broken on Firefox!),
That’s an interesting point. I’m not sure to what extent my blockers in FF are increasing the likelihood of additional login checks. Maybe I’ll see if disabling them has any impact.
Morgan,
Screen shots might help illustrate what I’m talking about…
After attempting a login, I get blocked with the following message.
https://postimg.cc/MMFC1SWS
Then I get the following email from sender-sib.com….
https://postimg.cc/KKqGpCZp
This email contains a 1X1 tracking pixel from sendibt3.com.
I am required to click a link at sendibt3.com with encrypted data that I cannot decipher. This link redirects to the osnews login form and requires login be performed a second time with the same creds. This time the login succeeds, but goes to account profile page and not the page on which the login was initiated.
None of this is part of the standard wordpress login, so obviously there’s a wordpress plugin responsible for the heuristics and sending users to 3rd party domains. I suspect those domains probably have some tracking purpose, otherwise the login could & should be completed on osnews.com exclusively with no other 3rd party domains involved.
Google Tag Manager and Cloudflare Insights are both blocked by ublock origin for me.
This should be fixed now. Turns out the SMTP server we were using to send out 2FA emails was from that shit-ass company. We’re using a different one now.