"The frequency at which many apps send device information...is mind-blowing" — popular iPhone apps are stealing your data using iOS push notifications, here's what you need to do to stay safe
Practice goes against Apple's terms of service
Some of the most popular iOS apps have been found to be working around Apple’s terms of service to collect sensitive information about the devices they’re installed on.
According to the researcher that discovered the practice, this is a big deal because the app’s vendors can use this data to profile, and subsequently track, their users, which is a big no-no for Apple.
As explained by Mysk on X, with iOS 10, Apple allowed mobile apps to run in the background in order to process, and later serve, push notifications. As soon as the process is complete, the apps are suspended again, and later terminated, for better performance and security. But during this small timeframe, some apps were observed collecting sensitive device data. That includes system uptime, locale, keyboard language, available memory, battery status, storage use, device model, and display brightness. All this, Mysk argues, can be used to fingerprint (profile) users, and later track them.
Apple's move
"Our tests show that this practice is more common than we expected. The frequency at which many apps send device information after being triggered by a notification is mind-blowing," Mysk's X post noted.
There are many apps that abuse the privilege of serving push notifications to mobile users, apparently, including the likes of TikTok, Facebook, Twitter, LinkedIn, and Bing, the researcher said in a demo video posted on YouTube.
In its writeup, BleepingComputer reached out to Mysk, who confirmed that Apple is planning on putting a stop to this practice in a few months.
Apparently, in the near future, Apple will tighten the restrictions on using APIs for device signals and will demand app developers to state exactly why they need to use APIs that can lead to user profiling. Developers that fail to provide a satisfactory answer will be denied access to the App Store.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
In the meantime, if you’re worried about being profiled by Facebook and the gang, make sure to disable push notifications completely.
The companies mentioned in the report have not yet commented on Mysk’s findings.
More from TechRadar Pro
- Cisco urges users to update this dangerous software flaw immediately, or put devices at risk of being hacked
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.