Some of the most popular iOS apps have been found to bypass Apple’s terms of service to collect sensitive data about the devices they are installed on.
According to the researcher who uncovered the practice, this is a big deal because app vendors can use that data to profile and subsequently track their users, which is a big no-no for Apple.
As he explained Musk on X, with iOS 10, Apple allowed mobile apps to run in the background to process and later serve push notifications. As soon as the process is finished, the applications are suspended again, and later terminated, for better performance and security. But during this short time frame, some apps have been observed collecting sensitive device data. This includes system uptime, locale, keyboard language, available memory, battery status, storage usage, device model, and screen brightness. All this, claims Mysk, can be used for fingerprinting (profiling) users, and later track them.
Apple’s move
“Our tests show that this practice is more common than we expected. The frequency with which many apps send device information after being triggered by a notification is incredible,” Mysk’s X announcement said.
There are many apps that abuse the privilege of serving push notifications to mobile users, apparently, including apps like TikTok, Facebook, Twitter, LinkedIn and Bing, the researcher said in demo video posted on YouTube.
In his text, BleepingComputer reached out to Mysk, who confirmed that Apple plans to stop this practice in a few months.
Apple will reportedly tighten restrictions on the use of Device Signals APIs in the near future and require app developers to specify exactly why they need to use APIs that can lead to user profiling. Developers who do not provide a satisfactory response will be denied access to the App Store.
In the meantime, if you’re worried about being profiled by Facebook and gang, be sure to disable push notifications entirely.
The companies mentioned in the report have yet to comment on Mysk’s findings.