Numerous iOS applications employ background procedures triggered by push notifications to amass user data regarding devices, potentially enabling the construction of fingerprinting profiles utilized for tracking.
As per the findings of mobile researcher Mysk, who unearthed this methodology, these applications circumvent Apple‘s limitations on background app activity and pose a privacy peril for iPhone users.
“Applications ought not clandestinely construct a user profile based on gathered data and should refrain from attempting, facilitating, or promoting the identification of anonymous users or the reconstruction of user profiles based on data collected from Apple-provided APIs or any data claimed to be collected in an ‘anonymized,’ ‘aggregated,’ or otherwise non-identifiable manner,” stipulates a segment of the Apple App Store review guidelines.
Upon scrutinizing the data transmitted by iOS background processes during the reception or dismissal of notifications, Mysk ascertained that this practice is more widespread than previously perceived, involving numerous applications boasting a substantial user following.
Apple formulated iOS to prohibit apps from running in the background to curb resource consumption and enhance security. When inactive, apps are suspended and eventually terminated, precluding them from monitoring or disrupting foreground activities.
However, in iOS 10, Apple introduced a novel system enabling apps to quietly initiate in the background to process new push notifications before their presentation on the device.
This system allows apps receiving push notifications to decipher the incoming payload and fetch supplementary content from their servers to enhance it before presenting it to the user. Post this operation, the app is terminated once again.
Through meticulous testing, Mysk discovered that many applications exploit this functionality, viewing it as an opportune moment to transmit data concerning a device back to their servers. Depending on the application, this encompasses information such as system uptime, locale, keyboard language, available memory, battery status, storage utilization, device model, and display luminosity.
The researcher posits that this data has the potential for fingerprinting and user profiling, enabling persistent tracking, a practice strictly prohibited in iOS.
“Our examinations reveal that this practice is more prevalent than anticipated. The frequency at which multiple applications dispatch device information following the triggering of a notification is staggering,” elucidates Mysk in a Twitter post.
Mysk produced a video demonstrating the network traffic exchange during the reception of push notifications by TikTok, Facebook, X (Twitter), LinkedIn, and Bing.
It was observed that these applications transmitted a diverse array of device data to their servers utilizing services like Google Analytics, Firebase, or their proprietary systems.
BleepingComputer reached out to Microsoft, X, Apple, TikTok, and LinkedIn concerning their applications retrieving user data, but a response was not immediately forthcoming.
