π¨π¬ Privacy Concerns about Apple Push Notifications
TL;DR: data-hungry apps use push notifications as a trigger to send app analytics and device information to their remote servers, even if the apps aren't running at all on your iPhone. Such apps include TikTok, Facebook, FB Messenger, Instagram, Threads, X, and many more.
Watch the full video on YouTube:
piped.video/4ZPTjGG9t7s
iOS apps don't have the luxury of running in the background. For reasons mostly related to privacy and performance, iOS suspends and eventually terminates any app that is not active. This is how iOS is designed. But starting in iOS 10, iOS added a new feature that allows apps to customize their push notifications even if they are not running.
It works like this: when an app receives a push notification, iOS wakes the app in the background and allows it a limited time to customize the notification before it is presented to the user. This is very helpful for apps to perform tasks related to the notification such as decrypting the notification payload or downloading additional content to further enrich the notification before iOS presents it to the user. And as soon as the app finishes customizing the notification, iOS terminates it.
The ability to execute tasks in the background is a gold mine for data-hungry apps. Unsurprisingly, many social apps notorious for their aggressive data harvesting practices are taking advantage of the background execution time enabled by push notifications. In fact, developers can harness this workaround to run code in the background on demand. All they have to do is send push notifications to their users. As a result, iOS would wake their app in the background on every device, then the app runs whatever code the developer has built into the app.
According to Apple documentation, the intended purpose of waking an app in the background is all about allowing the app the chance to customize its notifications. However, many apps are using this feature as an opportunity to send detailed device information while running quietly in the background. This includes: system uptime, locale, keyboard language, available memory, battery status, device model, display brightness, to mention a few. Such signals are commonly used for fingerprinting and tracking users across different apps developed by different developers. Fingerprinting is strictly prohibited on iOS and iPadOS.
Our tests show that this practice is more common than we expected. The frequency at which many apps send device information after being triggered by a notification is mind-blowing. Some Apps, like Facebook and TikTok, also send data when clearing their notifications in Notification Center.
As far as data handling is concerned, apps take different approaches to send and store the data. The common services that many apps use are Google Analytics and Firebase. But some apps, like Facebook, use their own services. TikTok uses a combination of Firebase and their own services.
To stop an app from doing this, you have to disable notifications for the app altogether. Setting the notification alerts to sounds or badges isn't enough.
Fortunately, starting Spring 2024, Apple will require developers to declare reasons for using the APIs that return unique device signals, such as the ones commonly used for fingerprinting.
Thanks a lot for reaching this far. If you find this content helpful, share it with your contacts, follow us, like us, and we look forward to sharing our next findings with you. βοΈ
#Privacy #Security #Cybersecurity #Apple #iPhone #Facebook #TikTok #InfoSec #iOS