Apple has long said that fingerprinting — tracking a user through the hardware and software features of their device — is not allowed. But apparently some popular apps have found a backdoor that they are exploiting in plain sight.
Privacy researcher Tommy Mysk has discovered that a number of popular iOS apps are using a push notification feature, first introduced in 2016, to send detailed data about the user’s device to their companies’ servers.
Mysk explained that he noticed this disturbing and seemingly persistent pattern when he examined several social media apps, including TikTok, Facebook, FB Messenger, Instagram, Threads, and X. All of these apps took advantage of the feature that allowed them to customize their push notifications even when not running.
This feature is not intrinsically malicious and serves an important purpose. For example, it can be useful for apps that need to decode the notification payload or download additional content to best present the notification to the user. When an app receives a push notification, iOS signals the app to wake up and run for a short time. During this time, the app can do whatever the developer wants, including tweaking the push notification’s appearance in some way. The latter would be the original purpose of the feature, but the problem is that the app may also be collecting data or sending information about the user during that time.
Mysk has observed that the apps he has studied have learned to take full advantage of this limited run time to collect data from the device and send that data to remote servers. The researcher calls the ability to run code in the background “a gold mine for data-hungry apps.”
adguard.com
