Many popular iOS apps send detailed information about your device to remote servers whenever you receive a push notification — even when these apps are not open.
According to Mysk security researchers, TikTok, Facebook, Facebook Messenger, Instagram, X, and Threads are some of the apps guilty of this practice.
iOS apps are usually dormant when not in use. However, when you receive a push notification, iOS “wakes” the app to allow it to customize the push notification before it is delivered to you. Mysk researchers found that many apps don’t just customize push notifications but also send app analytics and device information to remote servers. This happens in the background without users’ knowledge or consent.
The type of data apps collect and send include system uptime, locale and keyboard language, available memory, battery status, device model, and even screen brightness. This type of data is “commonly used for fingerprinting and tracking users across different apps developed by different developers,” the Mysk team said, noting that fingerprinting is “strictly prohibited on iOS and iPadOS.”
Apple only started activating apps to customize push notifications with the introduction of iOS 10 in 2016. Meanwhile, Apple plans to introduce new protections against the misuse of push notifications in the Spring of 2024.
Practice Raises ‘Privacy Concerns’
A revealing video by Mysk shows how apps like TikTok, Facebook, and X (formerly known as Twitter) leverage push notifications to harvest user data.
Mysk’s investigation — which involved combining “mitmproxy” and “Proxyman” software to track iOS network traffic — revealed that upon receiving a push notification, these apps momentarily wake up in the background and transmit a variety of data back to their servers.
“The frequency at which many apps send device information after being triggered by a notification is mind-blowing. Some Apps, like Facebook and TikTok, also send data when clearing their notifications in Notification Center,” Mysk said on X (formerly Twitter).
This practice, Mysk points out, is not just about enhancing user experience through notifications. “Hard to imagine all this traffic is related to the notification,” one of the researchers said.
How to Curb Tracking and Fingerprinting on iOS
To protect your privacy on iOS devices:
- Consider turning off notifications.
- Keep your device updated to ensure you have the latest security and privacy features.
- Periodically check your app permissions and restrict access where necessary.
“To stop an app from doing this, you have to disable notifications for the app altogether. Setting the notification alerts to sounds or badges isn’t enough,” Mysk said.
By Spring 2024, Apple’s new policy will require developers to justify their usage of APIs (a key software developer tool) that return unique device signals, a move aimed at cutting down unauthorized tracking and fingerprinting. “This will hopefully reduce tracking across different apps of different developers,” Mysk noted.
For more tips about optimizing the privacy of your iPhone, check out our in-depth guide to iOS privacy settings.
Watch Mysk’s full video analysis here:
For more news, follow us on X (Twitter), Threads, and Mastodon!
