Loupe Released: Visualizing Fingerprint Data on iOS Devices
Mysk Research has unveiled Loupe for iOS/iPadOS, visualizing device data accessible via public APIs and classifying it into three tiers.
The security research team at Mysk has launched “Loupe,” an open-source app that visualizes the extent of information iOS and iPadOS devices share with third-party apps through public APIs. The app’s source code is available on GitHub, allowing users to directly view raw data accessible from their devices.
Loupe categorizes the information that apps can use to identify devices into three tiers: “Passive,” “Permission-Required,” and “Advanced.” Even without access to names, email addresses, or location data, trackers can combine this data to generate a unique device fingerprint, enabling cross-app and cross-website user tracking.
How Device Fingerprinting Works
Device fingerprinting operates on principles similar to browser fingerprinting. Apps can read dozens of parameters from iOS public APIs, including locale, time zone, screen resolution, battery status, and more. While a single parameter cannot uniquely identify a device, combining multiple parameters creates a distinctive fingerprint that differentiates one device from others.
Loupe displays this information in its raw form without any hashing or aggregation. The data shown within the app remains confined to the device and is not transmitted externally unless the user explicitly chooses to export it.
The Three Tiers
Loupe categorizes information into three tiers based on the ease of access, offering a framework for evaluating privacy risks:
The first tier, “Passive,” includes information that apps can access without requiring any user permission. Examples include locale settings, time zone, screen resolution, battery level, and charging status. These data points are outside the scope of iOS’s permission system and are accessible by all installed apps without restriction.
The second tier, “Permission-Required,” encompasses data like contacts, photos, location, and calendar details, which require explicit user consent via iOS prompts. To access this information, apps must declare the necessary permissions and receive user approval.
The third tier, “Advanced,” consists of information that can be obtained through sophisticated side-channel techniques using public APIs. Examples include URL scheme probing with canOpenURL and the persistence of data in the Keychain even after an app is reinstalled. These methods exploit loopholes not explicitly addressed by Apple’s privacy guidelines.
Development Highlights
Loupe’s source code was predominantly generated using AI coding tools, making it a noteworthy example of how AI can contribute to practical tool development.
Building Loupe requires Xcode 26 or later, and the project employs Xcode’s buildable folder system, which automatically recognizes new Swift files without needing to edit the project file manually.
While a macOS version is also available, it is not yet fully polished, with some features still under development. The app is distributed under the MIT license, while design assets like the app’s name and logo are copyrighted by Mysk.
The Importance of Privacy Awareness
Loupe aims to serve as an educational tool, enabling users to understand what information their devices may expose to external parties. Although iOS is known for its strong emphasis on privacy protection, there is a significant amount of information that falls outside the scope of its permission system.
In addition to Loupe, Mysk also offers Psylo, a privacy-focused browser with features like proxy-based browsing, tab isolation, and anti-fingerprinting protections, which aligns with Loupe’s mission of raising privacy awareness.
Editorial Opinion
In the short term, Loupe is likely to serve as a wake-up call for the iOS app developer community, prompting them to reassess how much device information their apps collect. Especially for the data classified under the “Passive” tier, which has often been overlooked, Loupe could help establish new benchmarks for privacy reviews. Additionally, the app demonstrates the practical potential of AI-driven code generation, contributing to the diversification of development methodologies.
In the long term, tools like Loupe may influence Apple’s API design. Historically, iOS has adopted a binary model of information access based on permissions, but Loupe’s classification highlights the existence of gray areas. This could spark discussions about imposing disclosure requirements for data used for fingerprinting purposes or the introduction of new permission categories.
Ultimately, the balance between platform-level measures and user literacy remains a critical question. While Loupe provides the means for users to “see” the data being accessed, how that knowledge translates into action depends on individual decisions.
References
- Lobsters — Published on 2026-06-21
Frequently Asked Questions
- Does running Loupe risk exposing device information externally?
- No. Loupe only uses the obtained data for on-device display and does not upload or sync any information to external servers. Unless users explicitly choose to export data, it will not leave the device.
- Is this app intended for general users or developers?
- The app is suitable for both. General users can visually examine the extent of information their devices expose, while developers can use it to evaluate the privacy implications of their apps. However, it should be noted that building Loupe requires Xcode 26 or later, and it is not available for download via the App Store.
- Can a device truly be identified using only data from the Passive tier?
- Theoretically, yes. While a single parameter, such as time zone, cannot uniquely identify a device, combining multiple parameters—such as time zone, locale, screen resolution, battery status, and installed fonts—can result in a highly accurate device fingerprint. Research has demonstrated that such combinations can reliably re-identify devices.
Comments