Research Reveals How iPhone Push Notifications Leak User Data

[MacRumors]

Security researcher Tommy Mysk has demonstrated that iPhone push notifications are being used by popular apps to covertly send data about the user.

In a new video outlining the practice, Mysk highlighted how certain iOS apps exploit a feature introduced in iOS 10 that is designed to allow apps to customize push notifications. This feature, initially intended to enable apps to enrich notifications with additional content or decrypt encrypted messages, has seemingly been repurposed by some developers for more secretive activities. According to Mysk's findings, various popular applications, including TikTok, Facebook, Twitter, LinkedIn, and Bing, are using the short background execution time granted for notification customization to send analytics information.

This practice is particularly worrisome because it circumvents the typical restrictions imposed by iOS on background app activities. Apple has always maintained strict control over applications running in the background to protecting user privacy and ensure optimal device performance. However, the push notification feature appears to have unintentionally provided a backdoor for apps to conduct background data transmission.

The type of data being sent includes unique device signals that can be used for fingerprinting and tracking users across different apps. Fingerprinting is a method of collecting specific information about a device, such as its hardware and software configurations, to create a unique identifier for the user. This identifier can then be used to track the user's activities across different applications, which can then be used for various activities such as targeted advertising.

Apple does not permit fingerprinting and will soon require developers to explicitly state why their apps need access to APIs that are often used for fingerprinting. This move is in line with Apple's efforts to strengthen user privacy, such as the introduction of App Tracking Transparency in iOS 14.5, which requires apps to obtain user permission before tracking their activity across other companies' apps and websites.

Article Link: Research Reveals How iPhone Push Notifications Leak User Data

 

[idmean]

TikTok, Facebook, Twitter, LinkedIn, and Bing

Anyone who values their privacy shouldn't install any of these ever anyhow.

 

[LittleFriend]

The graphic on this article, where you’ve turned an iPhone into a lock, would be an utterly deranged product to make.

 

[G5isAlive]

It’s always a cat and mouse game with the same bad actors.

 

[JapanApple]

TikTok, Facebook, Twitter, LinkedIn, and Bing?

Do people use these? Not I said the little Bunny!

 

[Sorinut]

I keep most of my notifications disabled (only enabled for calls, calendar, texts/iMessage and Messenger), are these apps still able to do said tracking with notifications turned off?

I as I understand it, they are still being sent, the iPhone just doesn't pass them along to me.

 

[Timo_Existencia]

...but hey! Forcing Apple to open up to sideloading and 3rd Party App stores will have zero effect. Right?

 

[trainwrecka]

Imagine if this was your job at these companies. Employee, I need you to figure out a way to do something the company and the user does not want.

Everyday... your goal is to deceive. Sad life.

 

[Sorinut]

...but hey! Forcing Apple to open up to sideloading and 3rd Party App stores will have zero effect. Right?

If you don't sideload apps, yes.

 

[RealJerzy]

So... they only get to know when you last rebooted your phone, or did I misunderstand the video?

 

[roncron]

To those of you who know about Android, does this kind of thing happen with Android phones? Is it worse or not as bad as with iPhones?

 

[Apple Knowledge Navigator]

Zuck would sell his own family if it meant getting a little more data.

 

[Sciomar]

At this point in time, anyone thinking any social media app is not always leeching every bit of data points about you they can is truly ignorant. I had reduced LinkedIn notifications to badge only and turned off all notifications from X, it's not an important app but I follow politics there. Why on earth would anyone install Bing!?

 

[VulchR]

This kind of sleazy, underhanded surveillance capitalism is precisely the kind of thing I expect Apple's walled garden to protect against.

 

[James_C]

So if you turn off notifications for these Apps, does that stop the data being sent ?

 

[polyphenol]

Can we assume that MR doesn't do anything bad re push notifications? Or can we be reassured?

 

[Sorinut]

I suppose the point is, in your advocacy for sideloading, are you also telling people that they will be more vulnerable? Should the EU make it explicit that sideloading exposes users to more risks?

Absolutely. As should Apple.

Let the end-user decide.

 

[Wizard_of_Woz]

One of the best decisions I've ever made was deleting the few (anti) social media accounts I had a few years ago. This article highlights reason 4,357,288 to leave social media. To each their own, but social media IMO is nothing but toxic, time wasting garbage. To be fair though, it wasn't as bad when it first started. If I want to see friends or family, I will either drive/fly to see them, they come to see me, or if they are low on funds I will fly them to see me. If I want to talk to someone, I call them. If someone prefers text messages over phone calls, I text them.

 

[Harry Haller]

...but hey! Forcing Apple to open up to sideloading and 3rd Party App stores will have zero effect. Right?

Doesn’t seem to be a problem on the Mac.

 

[goobot]

Explains why some apps hammer you with notifications

 

[dwsolberg]

To those of you who know about Android, does this kind of thing happen with Android phones? Is it worse or not as bad as with iPhones?

Android has more of these security bypasses than iPhone, but there's no fame or user engagement in revealing or reporting them.

 

[JohannesO]

I only use the browser versions. Is that better?

 

[wanha]

It’s always a cat and mouse game with the same bad actors.

A company's behavior is largely dictated by their business models.

 

[VulchR]

So... they only get to know when you last rebooted your phone, or did I misunderstand the video?

This will be to the nearest millisecond (or microsecond? not sure which...), which likely means it can be treated as a unique ID (What are the odds another iPhone user with your model of phone, amount of memory, etc. booted up at the same millisecond as you? It's astronomically low, so it is almost like a unique fingerprint).

 

[klasma]

...but hey! Forcing Apple to open up to sideloading and 3rd Party App stores will have zero effect. Right?

Just restrict the APIs apps can use during notification processing, and apply that to all apps, whether sideloaded or not. Shouldn’t be that difficult in principle.