Many applications iOS they take advantage of background processes triggered by notifications push per collect data on users, enabling the creation of “ad hoc” profiles for tracking. This was discovered by researchers from Mysk, a company that is not new to this type of verification. In the past, Mysk had pulled the ears of the company led by Tim Cook by claiming and demonstrating that Apple collected user identifiers.
Following somewhat of the same thread, Mysk experts state that a very large number of iOS applications use less than crystalline practices, in order to carry out fingerprinting activities or to “file” each user Apple. The apps in question circumvent Apple’s background restrictions and pose a privacy risk to iPhone users.
Push notifications on iOS used to profile users
“Apps should not attempt to secretly construct a user profile based on collected data, and should not attempt, facilitate, or encourage others to identify anonymous users or reconstruct user profiles based on data collected from APIs provided by Apple or from data claimed to have been collected in a manner ‘anonymous’, ‘aggregated’ or otherwise non-identifiable“, reads a section of the Apple App Store guidelines.
Apple designed iOS to not allow apps to run processi in background, to avoid resource consumption and for greater security. When left unused, iOS apps are first “suspended” and then forcibly closed, so that they cannot interfere with foreground activities.
Starting with iOS 10, Apple introduced a new system that allows apps to start silently in the background to process new notifications push before the device actually displays them. The system allows apps to possibly download additional content from their servers to enrich the push notification before it is shown to the user.
Mysk has discovered that many apps abuse this feature, exploiting it for exchange data between server and user device. Among the information that can be sent are, for example, system uptime (how long iOS has been running), regional and language preferences, available memory, battery status, storage usage, device model and screen brightness. This information, similar to the approach used for the fingerprinting Web side, they can be exploited to carry out profiling activities, allowing persistent tracking activities, which is expressly prohibited in iOS.
In this YouTube video, Mysk shows some examples of transactions made by apps such as TikTok, Facebook, X (Twitter), LinkedIn and Bing while receiving push notifications.
Apple determined to solve the problem
The Cupertino company plans to resolve the problem quickly, preventing further abuse. Starting in spring 2024, iOS apps will be required to disclose precisely why they need to use APIs that can be leveraged for fingerprinting. In other words, it will be much more complicated for an application to call the APIs that allow it to collect device configuration information. Unless there is a valid reason to do so.
The problem was already known: in December 2023, in fact, Apple and Google admitted sharing details on push notifications with some governments that had explicitly requested it.
Opening image credit: iStock.com – Vadym Plysiuk