This service analyses iOS applications in order to list the embedded trackers and permissions. A tracker is a piece of software that collects data about you or your app usage behaviour.
This project was motivated by Exodus Privacy, which is a similar project for Android apps. Some of the underlying code as well as the design of this website is based on this project.
The underlying analysis technique for iOS apps was developed in the PhD research of Konrad Kollnig at the Department of Computer Science of the University of Oxford. This research was published in a range of academic papers and is available at PlatformControl.org. This research was, in turn, based on previous work by the Oxford research group led by Sir Nigel Shadbolt and led to TrackerControl for Android.
A key aim of this research and this tool is to enable anyone to analyse privacy in iOS apps without relying on jailbreaks or the circumvention of copyright protections. These were issues that held back iOS research in the past.
Unfortunately, Apple currently encrypts every app downloaded from the App Store with its FairPlay DRM. The circumvention of this DRM might be illegal in some jurisdictions and is thus not done by this tool. This is one of the key innovations behind this work, and has been published in the highly renowed and selective Proceedings on Privacy Enhancing Technologies in 2022.
This website operates a fair use policy and restricts disproportionate access. Scraping is not permitted.
We never collect personal data. It's yours. This website is operated by Konrad Kollnig, Assistant Professor at Maastricht University.
This tool also analyses the jurisdictional geography of third-party tracking: which countries control the tracking infrastructure in each app, and what that means for data sovereignty.
What this measures: Which companies control the tracking infrastructure in your apps, and what jurisdiction those companies fall under.
Why it matters: Even if data is processed in compliance with GDPR, US-based companies are subject to the CLOUD Act, which allows US authorities to compel disclosure regardless of where data is stored. The Schrems II ruling invalidated the EU-US Privacy Shield for this reason.
What "US-only" means: Every identified tracker in the app is controlled by a US-headquartered company. This doesn't mean the data is stored in the US — it means the company could be compelled to hand it over under US law.
What "European-only" means: All tracking uses infrastructure controlled by companies in EU/UK/EEA countries, subject to GDPR. This is rare — across a study of ~24,000 apps, only 0.1% qualified.
You can report issues and ask questions at ios@trackercontrol.org.