Popular apps are exploiting push notifications on iPhones to secretly collect user data, information security researcher Tommy Mysk has found. According to him, for this purpose, applications use the push notification configuration feature introduced in iOS 10, which allows applications to send notifications with additional content or decrypt encrypted messages.
It seems that the feature of setting up push notifications in iOS is being used by some developers for very dubious purposes. In a new video describing the practice, Mysk demonstrated how various popular apps, including TikTok, Facebook✴Twitter, LinkedIn and Bing use the short background execution time to configure notifications to send analytics information.
This approach is particularly worrisome because it bypasses the typical restrictions that iOS imposes on background app activity. Apple has introduced strict controls for apps running in the background to protect user privacy and ensure optimal device performance. However, the push notification feature appears to have inadvertently provided a backdoor for apps to transmit data in the background.
The type of data sent includes the device’s unique signatures and data that can be used to create a digital fingerprint of the device and track users across different applications. Distance “Digital fingerprinting is a method of collecting specific information about a device, such as its hardware and software configuration, to create a unique user ID. This identifier is used to track user activity across different applications and to target advertising.
Apple does not allow this type of information and will in the near future require developers to clearly state why their apps need access to the APIs used to collect device and user information. The move is in line with Apple’s policies to strengthen user privacy, which now requires apps to obtain user permission for tracking.