Privacy News AdGuard Blog: TikTok, Meta, X, and others exploit push notifications on iOS to collect data about users

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,677
Apple has long said that fingerprinting — tracking a user through the hardware and software features of their device — is not allowed. But apparently some popular apps have found a backdoor that they are exploiting in plain sight.

Privacy researcher Tommy Mysk has discovered that a number of popular iOS apps are using a push notification feature, first introduced in 2016, to send detailed data about the user’s device to their companies’ servers.

Mysk explained that he noticed this disturbing and seemingly persistent pattern when he examined several social media apps, including TikTok, Facebook, FB Messenger, Instagram, Threads, and X. All of these apps took advantage of the feature that allowed them to customize their push notifications even when not running.

This feature is not intrinsically malicious and serves an important purpose. For example, it can be useful for apps that need to decode the notification payload or download additional content to best present the notification to the user. When an app receives a push notification, iOS signals the app to wake up and run for a short time. During this time, the app can do whatever the developer wants, including tweaking the push notification’s appearance in some way. The latter would be the original purpose of the feature, but the problem is that the app may also be collecting data or sending information about the user during that time.

Mysk has observed that the apps he has studied have learned to take full advantage of this limited run time to collect data from the device and send that data to remote servers. The researcher calls the ability to run code in the background “a gold mine for data-hungry apps.”
So how does it all work, according to Mysk?
  • The app developer comes up with a code they want the app to run in the background
  • The developer sends a push notification to the user of the app. The push can be about anything, from a news update, a live sports score to a new friend request
  • The user’s device receives the push notification, but does not show it on the screen yet. iOS recognizes that the push notification is from the social app and wakes it up in the background. The app is now running, but the user can’t see it or interact with it
  • The app runs the code that the developer has prepared in the background. And while it may be innocuous, for example, be used to add more information, such as images, to the notification, it can also be used to harvest data from the user’s device and send that data to the developer’s servers
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top