iPhone apps including Facebook, LinkedIn, TikTok and X/Twitter are bypassing Apple’s privacy policies to collect user data via notifications, according to tests by security researchers at Musk Inc., an application development company. Users sometimes close apps to prevent them from collecting data in the background, but this technique bypasses that protection. The data is unnecessary for processing notifications, the researchers said, and appears to be related to analytics, advertising and user tracking across apps and devices. Some of the companies involved said those findings were inaccurate.
It’s only natural that apps will find ways to collect more data, but “we were surprised to learn that this practice is widely used,” said Tommy Mysk, who conducted the tests along with Talal Haj Bakry. “Who would have thought that an innocuous action as simple as dismissing a notification would trigger a lot of unique device information being sent to remote servers? It’s worrying when you think about the fact that developers can do this on demand.”
These particular apps are not unusually bad actors. According to researchers, this is a widespread problem plaguing the iPhone ecosystem. However, Meta and LinkedIn spokespeople categorically denied that the data was used for advertising or other inappropriate purposes. A LinkedIn spokesperson said the data is only used to ensure notifications work properly, and the company follows all of Apple’s developer guidelines. Apple, TikTok and X/Twitter did not immediately respond to Gizmodo’s questions for this article.
This isn’t the first time Mysko’s tests have uncovered data problems at Apple, which has spent untold millions convincing the world that “what happens on your iPhone, stays on your iPhone.” In October 2023, Mysk revealed that the acclaimed iPhone feature was intended to protect your WiFi address details it’s not as private as the company promises. In 2022, Apple was hit over a dozen collective lawsuits after Gizmodo reported on Mysk’s discovery that Apple was collecting data on its users even after turning on the iPhone’s privacy setting which promises to “completely disable the sharing of device analytics”.
The data looks like information used for “fingerprinting,” a technique companies use to identify you based on a few seemingly innocuous details about your device. Fingerprinting bypasses privacy protections to track people and send them targeted ads — and Apple specifically forbids companies from doing so. The iPhone and other Apple products have many settings and policies that should give you control over when companies can identify you and collect data.
For example, tests have shown that when you interact with notifications from Facebook, the app collects IP addresses, the number of milliseconds since your phone restarted, the amount of free memory space on your phone, and a host of other details. The combination of such data is sufficient to identify a person with a high level of accuracy. Other apps in the test collected similar information. LinkedIn, for example, uses notifications to collect what time zone you’re in, the brightness of your screen and what mobile carrier you’re using, the test showed. Mysk said LinkedIn also collects a host of other information that appears specifically related to the ad campaign (a LinkedIn spokesperson called this inaccurate.) It’s worth noting that just because an app can collect this information, it doesn’t mean it uses it.
“We do not use notifications as a way to collect member data for advertising or related analytics, cross-device or app tracking,” a LinkedIn spokesperson said. “The data collected is only used to confirm that the notification was successfully sent and, on a temporary basis, to put the app experience on hold in the event that the member chooses to launch the app in response to a notification that is never shared externally.” A spokesperson said the data is never shared externally.
Meta, which owns Facebook, shared a similar statement. “The findings are not correct. People log into our app on their devices and give permission to enable notifications,” said Emil Vazquez, Meta spokesperson. “We may occasionally use this information, even when the app is not running, to help us deliver timely, reliable notifications, using Apple’s API. This is in accordance with our rules.”
These details are not particularly sensitive compared to things like location data, but they are valuable for advertising and other purposes. What many people don’t realize is that targeted advertising and other invasions of digital privacy are meant to reveal your identity. Companies know what you do on their apps—but they don’t always know who you are, and the data is much less useful if you don’t know whose it is. If companies can’t identify you, they can’t target you with ads.
Apple offers a special advertising ID number that is specifically designed to facilitate data collection and targeted ads, but settings like the iPhone’s “Ask the app not to track” control block that ad ID. In theory, this should prevent companies from linking information about you and your behavior from different apps and other parts of the internet. But fingerprinting is a tricky way to keep doing it anyway.
Apps can collect this kind of data about you when they’re open, but closing the app with your finger should stop the data flow and stop the app from running. However, notifications seem to provide a backdoor.
Apple offers special software for your apps to send notifications. For some notifications, the app may need to play a sound or download text, images, or other information. If the app is closed, the iPhone operating system allows the app to wake up temporarily to contact the company’s servers, send you a notification, and do any other necessary work. The data collection observed by Mysk occurred during this short window.
“They can intentionally send a notification to the target device just by having the app run in the background and send back the details,” Mysk said. Or if a company like TikTok or X/Twitter wants to quickly update the IP addresses of 100,000 people who have closed their apps, one quick notification is enough. “It’s amazing,” he said.
It makes perfect sense that an app would want to analyze how users interact with notifications in order to optimize its services. However, Mysk said there are several reasons to think this isn’t why the apps are collecting this data.
First of all, Apple provides details to application developers directly about what’s happening with notifications, so there’s no need to collect additional information if you know what happened after you pinged your users. Furthermore, much of the data the apps collect appears to be unrelated to analyzing how notifications work, such as your phone’s available disk space or the time since your last reboot, Mysk said.
In addition, other data-hungry companies send notifications without enjoying all this other information. When Mysk tested Gmail and YouTube, for example, the apps only collected data that was clearly related to processing notifications. Mysk said that if a company like Google can send you a notification without snooping on other details, it suggests there are ulterior motives for the data collection he observed.
There are several potentially innocent explanations for the notification data problem. For example, developers sometimes leave legacy code in their applications that performs functions that businesses no longer need. It is theoretically possible that an application like LinkedIn could be set up to collect data that is not used for any purpose. The researchers, however, said that this is hard to believe.
There is a change in the rules of the iPhone operating system that could fix the situation, but it is not clear if it will solve the problem. From spring 2024, application developers will be need to be explained why and how they use certain “APIs,” which, in this context, are essentially pieces of software that apps use to communicate with each other and with the iPhone’s operating system.
In theory, this could force companies to reveal why they’re tracking you — and if they’re collecting data for illegal purposes, they might have to stop. “The bad news is that it’s not clear how Apple will implement this,” Mysk said.
Unfortunately, you may have heard that big companies sometimes tell lies, which would stand in the way of that solution, and Apple no stellar results implementation of similar rules.
Updated, 15:16: This story has been updated with additional comments from LinkedIn.