Where by "de-anonymize" they actually mean "detect what region the user's Apple ID is set to". The fingerprinting value of this is pretty weak, especially since, in most cases, it'll be the same as the country inferred from the user's IP.
It's also trivial for Apple to mitigate if they consider it to be an issue -- they can make the banner appear regardless of whether the app is available to the user.
Your Apple ID country has a lot of implications if changed (certain app access will be available/restricted, payment methods, etc). You aren't going to be able to identify a user specifically, but you could detect if a user is currently traveling internationally or may be a frequent VPN user.
The problem is that combining the two would actually give you significantly more information than either individual datapoint. A mismatch between Apple ID region and IP region will very reliably identify a subset of users (either expats or travellers).
No, the banner shows up either way and the size of the banner doesn't change based on whether the app is installed or not. So there's no way to determine whether or not the app is installed using this method.
This generally seems to be a thing plaguing tech anymore. Within the last several years I've noticed the removal of "No" buttons in favor of "Not Yet" buttons and no way to say "Never show again." I don't understand why companies think repeatedly notifying me about the same thing will do anything but make me mad. You're not going to force me to install it or use your product or do whatever you're trying to force me to do by bothering me about it. I'll just not buy another product from you or find some way to make it stop one way or another.
Good find. I’m mostly surprised that Safari allows you to show a banner for any app. I would have thought that Apple would validate that the domain of the site matches what is registered in App Store Connect before it shows the banner, but apparently not.
Not a huge deal, you’re not fully de-anonymizing the user, but it’s an information leakage regardless.
> domain of the site matches what is registered in App Store Connect before it shows the banner, but apparently not.
This might be by design... For example, a podcast website might be interested in showing a banner for the app that you can get their podcast on. (This isn't a defence of the banners themselves, which IMO are naggy and unnecessary)
Smart app banners don’t work in webviews, so on iOS you could block this technique by using a different browser. However, most iOS browsers set a different user agent that’s distinct from Safari, which might make you even more fingerprintable.
This works around VPNs, but something similar could also be done using the Accept-Language header or JS internationalization (Intl.DateTimeFormat().resolvedOptions().timeZone).
It's a clever find, but also very disruptive to the user when it happens, and even using a binary search tree still takes a long time.
The accept-language header isn't very reliable. For example, I'm not anywhere near the US but my language is set to en-us because that is where I'm from originally (same with the timezone trick). So you end up just identifying immigrants, migrants, and tourists, not necessarily people on a VPN.
The method de-anonymises to the “Apple ID region”. At most it gets your country. By design Apple’s own iCloud Private Relay¹ anonymises at best to the country level, so I doubt they’ll see this method as a problem.
Though important to note:
> this information remains constant across various networks and VPN usage.
However the exit nodes used by Private Relay always map to your current country and not the billing region of the Apple ID, thus a persistent discrepancy is still possible.
Where by "de-anonymize" they actually mean "detect what region the user's Apple ID is set to". The fingerprinting value of this is pretty weak, especially since, in most cases, it'll be the same as the country inferred from the user's IP.
It's also trivial for Apple to mitigate if they consider it to be an issue -- they can make the banner appear regardless of whether the app is available to the user.