Mashable:

Push notifications are being exploited to invasively collect user data once again, according to a new report by researchers with app developer Mysk.

iPhone apps are utilizing push notifications in order to send device information and other analytics to remote servers, Mysk researchers found. Developers are able to collect this data even if the app isn’t open on the device. 

What’s going on here?

Apple doesn’t allow iOS apps to run in the background and suspends inactive applications due to privacy concerns and performance issues. However, when a user receives a push notification, iOS activates the app temporarily in order for it to customize the push notification for the user. While iOS once again suspends the app after this action is performed, users’ device data is gathered by these apps and sent to relevant parties during this time frame.

Mysk uploaded a video to YouTube that shows tested apps collecting data from the device via push notifications.

The apps found to be gathering data include some of the biggest social media platforms like Facebook, Instagram, TikTok, LinkedIn, and Elon Musk’s X.

“The ability to execute tasks in the background is a gold mine for data-hungry apps,” Mysk said in a statement provided to Mashable. “Unsurprisingly, many social apps notorious for their aggressive data harvesting practices are taking advantage of the background execution time enabled by push notifications. In fact, developers can harness this workaround to run code in the background on demand. All they have to do is send push notifications to their users. As a result, iOS would wake their app in the background on every device, then the app runs whatever code the developer has built into the app.”

Mysk found that most apps engaging in this practice collected device data such as “system uptime, locale, keyboard language, available memory, battery status, device model, display brightness” and other related information. The researchers say that this data is all relevant when building unique profiles in order to track users online and serve them relevant advertisements. This practice, known as fingerprinting, is prohibited by Apple’s iOS policies.

Can I do anything?

Some of the app developers are pushing back on Mysk’s findings, according to Gizmodo.

LinkedIn and Meta denied to Gizmodo that this data is being misused. LinkedIn specified that the activity recorded via push notifications is used to make sure the notifications are working, and that this follows Apple’s guidelines.

Late last year push notifications on iOS devices made headlines when U.S. Senator Ron Wyden was given a tip that law enforcements and governments were able to request sensitive data from users’ devices via push notifications. After the story broke, Apple revamped its policies to require a search warrant before sending over users’ data. 

Apple may be ahead of itself, however, in this instance. According to Mysk, Apple is already planning to start requiring that developers explain why apps are “using the APIs that return unique device signals,” the activity used in the practice of fingerprinting later this year.

In the meantime, though, Mysk recommends that users who are concerned with this data collection turn push notifications off on their iPhone and iPad. Researchers noted that users must choose the option to disable push notifications for each app entirely in order to stop the data collection.


Source link

MuskWire TLDR:

A new report by researchers with app developer Mysk reveals that iPhone apps are exploiting push notifications to collect user data. Even if the app is not open on the device, developers are able to gather device information and analytics through push notifications and send them to remote servers. This is possible because when a user receives a push notification, iOS temporarily activates the app to customize the notification. During this time, the app collects the user’s device data and sends it to relevant parties. Mysk conducted tests and uploaded a video on YouTube demonstrating how apps collect data through push notifications. The apps found to engage in this practice include popular social media platforms like Facebook, Instagram, TikTok, LinkedIn, and Elon Musk’s X. Mysk states that many social apps with aggressive data harvesting practices are taking advantage of the background execution time enabled by push notifications to collect data. The collected data includes system uptime, locale, keyboard language, available memory, battery status, device model, display brightness, and more, which are then used to build unique user profiles and serve relevant ads. This practice, known as fingerprinting, is prohibited by Apple’s iOS policies. Some app developers, such as LinkedIn and Meta, deny misusing the data collected via push notifications, stating that it is used to ensure the notifications are functioning correctly and complies with Apple’s guidelines. Apple plans to require developers to explain why they are using APIs that return unique device signals, which are used in fingerprinting, later this year. In the meantime, Mysk recommends that users concerned about data collection turn off push notifications for each app entirely.