According to researchers, iPhone apps are using push notifications to harvest user data, effectively skirting Apple’s privacy rules.
The findings come from the Canadian and German duo behind Mysk, who make iPhone apps and investigate security and privacy issues in iOS. Mysk has uncovered some other high-profile iOS issues, such as a 2022 investigation that found Apple’s privacy settings don’t stop the company from tracking users.
This time around, Mysk says that iPhone apps like Facebook, LinkedIn, TikTok, X/Twitter, and more leveraged iOS push notifications to collect data that they say looks like information commonly used for ‘fingerprinting.’ Fingerprinting is a technique that collects a ton of seemingly innocuous data that, when put together, could identify specific users.
🚨🎬 Privacy Concerns about Apple Push Notifications
TL;DR: data-hungry apps use push notifications as a trigger to send app analytics and device information to their remote servers, even if the apps aren't running at all on your iPhone. Such apps include TikTok, Facebook, FB… pic.twitter.com/qyFDbmrBjq
— Mysk 🇨🇦🇩🇪 (@mysk_co) January 25, 2024
For example, Mysk’s research found that interacting with a notification from Facebook would trigger the collection of IP addresses, the number of milliseconds since your phone was restarted, how much free memory space was available on the phone, and more. This works even if an app isn’t open in the background, potentially allowing tracking regardless of what users do.
That’s because of how notifications work on iOS. Apple provides software to help apps send notifications and in some cases, closed apps can wake up temporarily to send a notification. For example, this can happen if the app needs to download text or images. The data harvesting Mysk found happens during this brief wake window.
Facebook’s parent company, Meta, refuted the findings and, in a statement to Gizmodo, said: “People log into our app on their device and provide permission to enable notifications. We may periodically use this information, even when the app isn’t running, to help us deliver timely, reliable notifications, using Apple’s APIs. This is consistent with our policies.”
However, Mysk told Gizmodo that apps from other data-hungry companies send notifications without collecting all this data. Mysk tested Gmail and YouTube, apps from Google, and found that the apps only collected data related to processing notifications. The researchers said if companies like Google don’t need the additional data for notifications, it indicates there could be ulterior motives.
This isn’t the first time app notifications have been used to spy on smartphone users. Last year, a letter sent by a U.S. senator revealed that various governments were using push notification data to spy on smartphone users.
MobileSyrup may earn a commission from purchases made via our links, which helps fund the journalism we provide free on our website. These links do not influence our editorial content. Support us here.
