Google-Owned Crashlytics Is Using Custom Fonts to Track Users

One of the things iOS has been sorely lacking for a decade is the ability for users to install custom fonts. Apple has put it off on the grounds that custom fonts open security and privacy holes. Proving Apple’s point, Google-owned Crashlytics is already abusing the feature to track users by installing a font with a custom identifier embedded. iOS 13 isn’t even out yet and they’re abusing this for tracking. Because these fonts are installed system-wide — which is the whole point of the feature, so users can use their custom fonts in any app that supports choosing a font — I believe any app can use Crashlytics’s font to uniquely identify users.

I haven’t tried this feature yet, but Apple’s developer documentation indicates that users are prompted to allow an app to install a font, so it can’t be done silently in the background. Most users, I suspect, would just allow this, thinking fonts are harmless — but at least those of you reading this are forewarned.

Update: Apparently this isn’t something based on iOS 13’s custom fonts feature, but instead based on an older iOS feature that allows custom fonts to be installed with a configuration profile. The basic fact remains: custom fonts, however they’re installed, are not meant to be used for tracking users.

Thursday, 12 September 2019