A new report by security researcher Tommy Mysk highlights privacy concerns regarding how some iOS apps use push notifications to collect data about users and their devices.
In a video outlining the practice, Mysk explains that many apps take advantage of a technical workaround that allows them to run code in the background when a push notification is received. This enables data-hungry apps to send detailed device information to their servers, even when the app is not actively running.
According to Mysk's findings, apps like TikTok, Facebook, Instagram, and others use push notifications as a "trigger" to wake up the app in the background and execute tasks not directly related to the notification itself. For example, apps can collect data points like system uptime, keyboard language, battery level, and more.
As far as data handling is concerned, apps take different approaches to send and store the data. The common services that many apps use are Google Analytics and Firebase. But some apps, like Facebook, use their own services. TikTok uses a combination of Firebase and their own services.
Mysk notes that the frequency at which some apps send device information after a push notification is "mind-blowing," executing their background tasks on "every device" where the app is installed.
While Apple intended for background execution to be used to customize notifications, tech companies have found ways to exploit it for profiling and tracking purposes. Sending device fingerprints back to servers could allow apps to identify and track users across multiple apps and services.
Disabling notifications entirely for an app is the only way to fully prevent this behavior under the current iOS limitations.- Mysk wrote.
However, Apple has announced that starting in Spring 2024, developers will be required to declare why they are using APIs that return device-identifying signals.
Mysk's report shines a light on how push notifications open the door for tech companies to harvest more data about their users in the background. It serves as an important reminder for consumers to monitor which apps have permission to send notifications and critically evaluate if the privacy trade-off is worth it.