Good for the first one: I don't want joe's random app sending tracking data on me to ned's random service provider to sell to anyone with 50 cents.
The second one doesn't prevent analytics. Device Data is a keyword in the contract…
"Device Data" means data or information regarding the characteristics or usage of a particular device, including but not limited to UDID, crash logs, OS version, carrier name, hardware model, installed applications and application usage data.
… so you can't provide a vector for a third party, not bound by your agreement to respect the user's privacy, to loot the device of useful information. Good! You are allowed to collect and use this data, you just have to respect applicable privacy laws and handle notice and consent according to the contract.
The key is, you can't bind some random analytics firm. If you include code that dumps that out to a third party firm they are free to do whatever they want.
So create a UUID the first time you run, send only that to the analytics firm. Leave the Device Data alone. I suspect this would pass, though it is possible it would fail under the "application usage data" section.
One could imagine some extreme interpretation where Apple is trying to prevent any information about which apps are installed being divulged to anyone, but there are so many unaddressed vectors (e.g. loading an ad from an ad server) that it seems unlikely.
The second one doesn't prevent analytics. Device Data is a keyword in the contract…
"Device Data" means data or information regarding the characteristics or usage of a particular device, including but not limited to UDID, crash logs, OS version, carrier name, hardware model, installed applications and application usage data.
… so you can't provide a vector for a third party, not bound by your agreement to respect the user's privacy, to loot the device of useful information. Good! You are allowed to collect and use this data, you just have to respect applicable privacy laws and handle notice and consent according to the contract.
The key is, you can't bind some random analytics firm. If you include code that dumps that out to a third party firm they are free to do whatever they want.
So create a UUID the first time you run, send only that to the analytics firm. Leave the Device Data alone. I suspect this would pass, though it is possible it would fail under the "application usage data" section.
One could imagine some extreme interpretation where Apple is trying to prevent any information about which apps are installed being divulged to anyone, but there are so many unaddressed vectors (e.g. loading an ad from an ad server) that it seems unlikely.