iPhone apps including Facebook, LinkedIn, TikTok and X/Twitter are bypassing Apple’s privacy policies to collect user data through notifications, according to tests by security researchers at Mysk Inc., an app development company. Users sometimes close apps to prevent them from collecting data in the background, but this technique bypasses that protection. The data is unnecessary for processing notifications, the researchers said, and appears to be related to analytics, advertising and user tracking across apps and devices.
It’s only natural that apps will find ways to collect more data, but “we were surprised to learn that this practice is widely used,” said Tommy Mysk, who conducted the tests along with Talal Haj Bakry. “Who would have thought that an innocuous action as simple as dismissing a notification would trigger a lot of unique device information being sent to remote servers? It’s worrying when you think about the fact that developers can do this on demand.”
Read more
For example, tests have shown that when you interact with notifications from Facebook, the app collects IP addresses, the number of milliseconds since your phone restarted, the amount of free memory space on your phone, and a host of other details. The combination of such data is sufficient to identify a person with a high level of accuracy. Other apps in the test collected similar information. LinkedIn, for example, uses notifications to collect the time zone you’re in, the brightness of your screen and what carrier you’re using, as well as a host of other information that seems particularly relevant to ad campaigns, Mysk said.
Just because an app can collect this data, doesn’t mean it uses it.
Meta, which owns Facebook, said Mysko’s conclusions were a misinterpretation. “The findings are not correct. People log into our app on their devices and give permission to enable notifications,” said Emil Vazquez, Meta spokesperson. “We may periodically use this information, even when the app is not running, to help us deliver timely, reliable notifications, using Apple’s API. This is in accordance with our rules.”
LinkedIn shared a similar statement. “We do not use notifications as a way to collect member data for advertising or related analytics, cross-device or application tracking,” a LinkedIn spokesperson said. “All information related to notifications is used only to confirm that the notification was successfully sent and is never shared externally.” Apple, TikTok and X/Twitter did not immediately respond to Gizmodo’s questions for this article.
These details are not particularly sensitive compared to things like location data, but they are valuable for advertising and other purposes. What many people don’t realize is that targeted advertising and other invasions of digital privacy aim to reveal your identity. Companies know what you do on their apps—but they don’t always know who you are, and the data is much less useful if you don’t know whose it is. If companies can’t identify you, they can’t target you with ads.
Apple offers a special Advertising ID number specifically designed to facilitate data collection and targeted ads, but settings like the iPhone’s “Ask App Not To Track” control that Advertising ID. In theory, this should prevent companies from linking information about you and your behavior from different apps and other parts of the internet. But fingerprinting is a tricky way to keep doing it anyway.
Apps can collect this type of data about you when they’re open, but closing the app should stop the data flow and stop the app from running. However, notifications seem to provide a backdoor.
Apple offers special software to help your apps send notifications. For some notifications, the app may need to play a sound or download text, images, or other information. If the app is closed, the iPhone operating system allows the app to wake up temporarily to contact the company’s servers, send you a notification, and do any other necessary work. The data collection observed by Mysk occurred during this short window.
“They can intentionally send a notification to the target device just by having the app run in the background and send back the details,” Mysk said. Or if a company like TikTok or X/Twitter wants to quickly update the IP addresses of 100,000 people who have closed their apps, one quick notification is enough. “It’s amazing,” he said.
It makes perfect sense that an app would want to analyze how users interact with notifications in order to optimize its services. However, Mysk said there are several reasons to think this isn’t why the apps are collecting this data.
For one thing, Apple gives app developers details about what’s happening directly with notifications, so there’s no need to collect additional information if you know what happened after you pinged your users. Furthermore, much of the data the apps collect appears to be unrelated to analyzing how notifications work, such as your phone’s available disk space or the time since your last reboot, Mysk said.
In addition, other data-hungry companies send notifications without enjoying all this other information. When Mysk tested Gmail and YouTube, for example, the apps only collected data that was clearly related to processing notifications. Mysk said that if a company like Google can send you a notification without snooping on other details, it suggests there are ulterior motives for the data collection he observed.
There are several potentially innocent explanations for the notification data problem. For example, developers sometimes leave legacy code in their applications that performs functions that businesses no longer need. It is theoretically possible that an application like LinkedIn could be set up to collect data that is not used for any purpose. The researchers, however, said this is hard to believe.
There is a change in the rules of the iPhone operating system that could fix the situation, but it is not clear if it will solve the problem. Starting in the spring of 2024, app developers will have to explain why and how they use certain “APIs,” which, in this context, are essentially pieces of software that apps use to communicate with each other and with the iPhone’s operating system.
In theory, this could force companies to reveal why they’re tracking you — and if they’re collecting data for illegal purposes, they might have to stop. “The bad news is that it’s not clear how Apple will implement this,” Mysk said.
Unfortunately, you may have heard that big companies sometimes lie to get in the way of that solution, and Apple doesn’t have a great track record of enforcing similar policies.
More from Gizmodo
Sign up for Gizmodo’s newsletter. For the latest news, Facebook, Twitter and Instagram.
Click here to read the full article.