Push notifications are exploited to invasively collect user data again, according to a new report by researchers with Mysk app developer.
iPhone apps use push notifications to send device information and other analytics to remote servers, Myska researchers found. Developers can collect this data even if the app is not open on the device.
What’s going on here?
Apple does not allow iOS apps to run in the background and suspends inactive apps due to privacy and performance concerns. However, when a user receives a push notification, iOS temporarily activates the app to customize the push notification for the user. While iOS suspends the app again after performing this action, these apps collect data about the user’s devices and send it to the relevant parties during that time frame.
Musk conveyed a video on YouTube which shows the tested apps that collect data from the device via push notifications.
Apps found to be collecting data include some of the biggest social media platforms such as Facebook, Instagram, TikTok, LinkedIn and Elon Musk’s X.
“The ability to run tasks in the background is a gold mine for data-hungry applications,” Mysk said in a statement provided to Mashable. “Unsurprisingly, many social apps known for their aggressive data collection practices take advantage of the background runtime enabled by push notifications. In fact, developers can use this workaround to run code in the background on demand. All they have to do is send push notifications to their users as as a result, iOS would wake up their app in the background on each device, and then the app would run whatever code the developer embedded in the app.”
7 Slack Privacy Settings You Should Check Now
Mysk found that most apps that engage in this practice collect device information such as “system uptime, locale, keyboard language, available memory, battery status, device model, screen brightness” and other related information. The researchers say all this data is relevant when creating unique profiles to track users online and serve them relevant ads. This practice, known as fingerprinting, is prohibited by Apple’s iOS policies.
Is there anything I can do?
Some of the app developers reject Mysk’s findings, according to Gizmodo.
LinkedIn and Meta denied to Gizmodo that this data was misused. LinkedIn specified that the activity recorded via push notifications is used to verify that the notifications are working and that it follows Apple’s guidelines.
Late last year, push notifications on iOS devices made headlines when US Senator Ron Wyden received a tip that law enforcement and government could request sensitive data from the user’s device via push notifications. After the story broke, Apple remodeled its policies to require a search warrant before submitting user data.
However, in this case, Apple may be ahead of itself. According to Mysk, Apple already plans to start requiring developers to explain why apps “use APIs that return unique device signals,” an activity used in fingerprinting practices later this year.
In the meantime, however, Mysk recommends that users concerned about this data collection turn off push notifications on their iPhones and iPads. The researchers noted that users must select the option to completely disable push notifications for each app to stop data collection.