Apps Are Using Background App Refresh to Send Data to Tracking Companies

[MacRumors]

When Background App Refresh is enabled, some iOS apps are using the feature to regularly send data to tracking companies, according to a privacy experiment from The Washington Post that explores the relationship between apps and tracking companies.

The Washington Post's Geoffrey Fowler teamed up with privacy firm Disconnect and used specialized software to see what his iPhone was doing and when. And while it's no surprise that apps are using trackers and sharing user data, the frequency with which apps took advantage of background refresh to send data off to tracking companies is surprising, as is some of the data shared.

Fowler found that apps were sending data like phone number, email, location, IP address, and more.

On a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11:43 p.m., a company called Amplitude learned my phone number, email and exact location. At 3:58 a.m., another called Appboy got a digital fingerprint of my phone. At 6:25 a.m., a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with.

Apps that were found passing data along included Microsoft OneDrive, Mint, Nike, Spotify, The Weather Channel, DoorDash, Yelp, Citizen, and even The Washington Post's own iOS app. Citizen shared personally identifiable information that violated its privacy policy (the tracker was later removed), and Yelp was sending data every five minutes, something the company later said was a bug.

During the course of a week of testing, Fowler ran into 5,400 trackers, mostly found within apps, which Disconnect told him would likely send 1.5 gigabytes of data over the course of a month.

Trackers within apps, for those unfamiliar, serve different purposes. Some analyze user behavior to let apps streamline advertising campaigns, combat fraud, or create targeted ads. Delivery app DoorDash, for example, was found using a whopping nine trackers in its apps, sharing data like device name, ad identifier, accelerometer data, delivery address, name, email, and cellular phone carrier.

DoorDash also has trackers from Facebook and Google Ad Services, which means Facebook and DoorDash are notified whenever you're using the DoorDash service. DoorDash is not alone in sending tracking data, nor are the apps listed above - using tracking information is standard practice - but most people aren't aware that it's happening.

Not all data collection is bad, such as when it's anonymized and stored for a limited period of time, but some trackers are collecting specific user information and don't provide clear information on how long that data is stored nor who it's shared with.

As Fowler points out, there is no way to know which apps are using trackers and when that data is being sent from your iPhone, nor does Apple have tools in place that give iPhone users a way to see which apps are using trackers and for what purpose. Apple was contacted for comment, but provided a standardized privacy response.

"At Apple we do a great deal to help users keep their data private," the company says in a statement. "Apple hardware and software are designed to provide advanced security and privacy at every level of the system."

"For the data and services that apps create on their own, our App Store Guidelines require developers to have clearly posted privacy policies and to ask users for permission to collect data before doing so. When we learn that apps have not followed our Guidelines in these areas, we either make apps change their practice or keep those apps from being on the store," Apple says.

Fowler suggests Apple could require apps to label when they're using third-party trackers, while privacy company Disconnect suggests greater privacy controls in iOS to give users more control over their data.

iOS users concerned about the data apps are sending, especially at night and without user knowledge, can turn off Background App Refresh in the Settings app and can use a VPN like Disconnect's Privacy Pro to limit the data apps are able to send to third-party sources.

Article Link: Apps Are Using Background App Refresh to Send Data to Tracking Companies

 

[AngerDanger]

That's IT! I'm switching to Android where I'll be safe from tracking!

 

[dannyyankou]

I guess I'm turning off Background App Refresh now. Battery will improve anyway.

 

[ipedro]

Apps that were found passing data along included Microsoft OneDrive, Mint, Nike, Spotify, The Weather Channel, DoorDash, Yelp, Citizen, and even The Washington Post's own iOS app.​

As if I needed another reason to delete Spotify.

 

[sundog925]

I disable this always.
Not even on WiFi.
Apparently it saves battery? And with this iPhone 8 the battery needs all the help it can get!

 

[kopesetic]

I have background data off; mainly to help reserve battery. Does this actually prevent / limit the tracking or does it just queue up a bunch of data until I actually turn the app on later? I wonder?

 

[DipDog3]

Settings > General > Background App Refresh > Off

 

[lilkwarrior]

This is standard practice since the Web & sophisticated mobile platforms existed. You would always want metadata on user experience with the app (& ways to categorize them) in the background process of the app (ideally away from the main thread as much as possible).

How are apps expected to be better or gleam important info about their users to be a better app + verify the audience they claim to be for is indeed the audience that actually use the app for themselves & ad partners?

 

[ChazSch]

That explains battery drop off. Thanks Weather Channel app for becoming even more useless... delete....

 

[DIRSGT]

I use Low Power Mode a lot (maybe all the time?). And it, by default, turns off Background App Refresh. Which could be why I seem to get way better battery life when utilizing it and why I constantly use LPM. I don’t really notice any performance lagging either on my XS.

 

[chelsel]

Weather Channel: DELETED
Yelp: DELETED
Mint: DELETED
Spotify: NEVER USED, DELETED

Time to just make bookmarks to the mobile website. This is a major flaw with app security and privacy right now. I don't love web apps, but this is a vote in their favor.

 

[GIZBUG]

So Apple is lying to us when they show us those stupid “privacy “ commercials on tv? How dare them!

 

[TheRealDunkirk]

When I installed a new wifi system at my church, I over-specified the capacity, simply because of this "background noise" that is coming from 500 internet-connected, "smart" devices, which just happen to be in the building at the same time. It was accounting for a non-insignificant part of our previous system's bandwidth.

 

[apolloa]

Seems to me they have investigated but this story lacks the companies responses as to why, like Spotify, The Weather Channel and One Drive would have legitimate reasons to know that information, so could they not use third party trackers to get it as opposed to making their own?

 

[poe diddley]

i just roll with the assumption that all of these apps are hemorrhaging privacy data all over the place, and that way i'm never surprised when i read something like this

 

[sracer]

That's IT! I'm switching to Android where I'll be safe from tracking!

Given the hyperbole around the "superiority" of iOS with regard to privacy and lack of privacy on Android, news like this helps people to better understand the reality of privacy (and lack of it) with devices.

 

[lilkwarrior]

I have background data off; mainly to help reserve battery. Does this actually prevent / limit the tracking or does it just queue up a bunch of data until I actually turn the app on later? I wonder?

Approximating &/or by batching depending on the libraries, data attempted to be tracked, & code involved making the app.

 

[alpi123]

Yeah, of course it's a "bug"

 

[iAssimilated]

I guess I'm turning off Background App Refresh now. Battery will improve anyway.

Done. My SE's battery life isn't bad IMHO, but any increase is welcome!

 

[NY Guitarist]

Wow, I just went to see which apps had background refresh enabled and they were ALL on!

I'm guessing the latest IOS update reset them, like it did my WiFi, bluetooth etc.

 

[69Mustang]

As if I needed another reason to delete Spotify.

You'd literally have to delete every 3rd party app on your phone to avoid the tracking.

edit: You'd also need to get rid of MR, 9to5Mac, Appleinsider, and pretty much any other site you visit. They all use trackers. Some more than others. Apple even uses trackers from Optimizely and Adobe Target on Apple.com.

Considering all that, deleting Spotify kinda seems a bit reactionary.

 

[tCdemon]

When this feature was introduce...I never enable it...no point of having this ON for me...what is this? Android?

 

[CarpalMac]

Presumably they do the same tracking / reporting when active? Sure this will be less frequent but would still share more information than perhaps people had appreciated.

 

[1050792]

Settings > General > Background App Refresh > Off

It doesn't change the fact that Apps were allowed to to abuse BAR in the first place.
Apple is to blame.

 

[BootsWalking]

The only apps I enable Background Refresh for are those from Apple. No exceptions.