iPhone Apps Exploit Notifications to Collect User Data Through Privacy Loopholes

Security Researchers at Mysk Inc. Uncover Widespread Violations of Apple's Privacy Rules

NEWS  Security  January 25, 2024  Reading time: 3 Minute(s)

Max (RS editor)

---

Security researchers at Mysk Inc., an app development company, have exposed a concerning trend among popular iPhone apps, including Facebook, LinkedIn, TikTok, and X/Twitter.

 

These apps are allegedly bypassing Apple's privacy rules by clandestinely collecting user data through notifications. The tests conducted by Tommy Mysk and Talal Haj Bakry indicate that even when users close apps to prevent background data collection, this technique allows the apps to circumvent such protection.

The collected data, deemed unnecessary for processing notifications, appears to be linked to analytics, advertising, and the tracking of users across different apps and devices. Mysk expressed surprise at the widespread nature of this practice, stating:

"Who would have known that an innocuous action as simple as dismissing a notification would trigger sending a lot of unique device information to remote servers?"

The issue isn't isolated to specific apps; rather, it is identified as a pervasive problem affecting the entire iPhone ecosystem. This isn't the first time Mysk's tests have highlighted data concerns at Apple, with previous revelations exposing flaws in the touted privacy features of the iPhone.

 FACEBOOK, TIKTOK, AND OTHER APPS USE PUSH NOTIFICATIONS TO SEND DATA ABOUT YOUR IPHONE [VIDEO CREDITS: MYSK YOUTUBE CHANNEL] 

The collected data appears to be utilized for "fingerprinting", a method companies employ to identify users based on seemingly innocuous details about their devices. This raises concerns as Apple explicitly forbids such practices. Despite Apple's settings designed to give users control over when they can be identified and have data collected, the researchers found that interactions with notifications from apps like Facebook and LinkedIn result in the collection of various details, potentially enough to identify a person accurately.

Meta, the company behind Facebook, dismissed the findings as a misinterpretation, stating that the information collected is used to facilitate timely notifications, in line with Apple's policies. LinkedIn echoed a similar sentiment, denying the use of notifications for advertising or cross-device tracking.

While the collected details may not be as sensitive as location data, they hold value for advertising purposes.

Targeted advertising relies on identifying individuals, and companies aim to link user behavior across various apps and platforms. Although Apple provides an advertising ID number for data collection and targeted ads, fingerprinting presents a surreptitious way to continue this practice, even when users disable certain tracking settings.

The upcoming change to the iPhone operating system's rules, requiring app developers to explain the use of specific APIs, could potentially address the issue. However, the researchers express uncertainty about how Apple will enforce these new regulations. In Spring 2024, developers will be mandated to disclose why and how they use certain APIs, potentially bringing transparency to data collection practices and curbing any illegitimate purposes. The effectiveness of this measure, however, remains to be seen.

 COVER IMAGE BY VECTORJUICE / ARTICLE IMAGE BY FREEPIK | VIDEO CREDITS: MYSK