Facebook, TikTok, X collect data when sending iPhone push notifications

61

Push notifications are being exploited to invasively collect user data once again, according to a new report by researchers with app developer Mysk.

iPhone apps are utilizing push notifications in order to send device information and other analytics to remote servers, Mysk researchers found. Developers are able to collect this data even if the app isn’t open on the device. 

Apple doesn’t allow iOS apps to run in the background and suspends inactive applications due to privacy concerns and performance issues. However, when a user receives a push notification, iOS activates the app temporarily in order for it to customize the push notification for the user. While iOS once again suspends the app after this action is performed, users’ device data is gathered by these apps and sent to relevant parties during this time frame.

Mysk uploaded a video to YouTube that shows tested apps collecting data from the device via push notifications.

The apps found to be gathering data include some of the biggest social media platforms like Facebook, Instagram, TikTok, LinkedIn, and Elon Musk’s X.

“The ability to execute tasks in the background is a gold mine for data-hungry apps,” Mysk said in a statement provided to Mashable. “Unsurprisingly, many social apps notorious for their aggressive data harvesting practices are taking advantage of the background execution time enabled by push notifications. In fact, developers can harness this workaround to run code in the background on demand. All they have to do is send push notifications to their users. As a result, iOS would wake their app in the background on every device, then the app runs whatever code the developer has built into the app.”

Mysk found that most apps engaging in this practice collected device data such as “system uptime, locale, keyboard language, available memory, battery status, device model, display brightness” and other related information. The researchers say that this data is all relevant when building unique profiles in order to track users online and serve them relevant advertisements. This practice, known as fingerprinting, is prohibited by Apple’s iOS policies.

Some of the app developers are pushing back on Mysk’s findings, according to Gizmodo.

LinkedIn and Meta denied to Gizmodo that this data is being misused. LinkedIn specified that the activity recorded via push notifications is used to make sure the notifications are working, and that this follows Apple’s guidelines.

Late last year push notifications on iOS devices made headlines when U.S. Senator Ron Wyden was given a tip that law enforcements and governments were able to request sensitive data from users’ devices via push notifications. After the story broke, Apple revamped its policies to require a search warrant before sending over users’ data. 

Apple may be ahead of itself, however, in this instance. According to Mysk, Apple is already planning to start requiring that developers explain why apps are “using the APIs that return unique device signals,” the activity used in the practice of fingerprinting later this year.

In the meantime, though, Mysk recommends that users who are concerned with this data collection turn push notifications off on their iPhone and iPad. Researchers noted that users must choose the option to disable push notifications for each app entirely in order to stop the data collection.