Research Reveals How iPhone Push Notifications Leak User Data

Security researcher Tommy Mysk has demonstrated that iPhone push notifications are being used by popular apps to covertly send data about the user.

In a new video outlining the practice, Mysk highlighted how certain iOS apps exploit a feature introduced in iOS 10 that is designed to allow apps to customize push notifications. This feature, initially intended to enable apps to enrich notifications with additional content or decrypt encrypted messages, has seemingly been repurposed by some developers for more secretive activities. According to Mysk's findings, various popular applications, including TikTok, Facebook, Twitter, LinkedIn, and Bing, are using the short background execution time granted for notification customization to send analytics information.

This practice is particularly worrisome because it circumvents the typical restrictions imposed by iOS on background app activities. Apple has always maintained strict control over applications running in the background to protecting user privacy and ensure optimal device performance. However, the push notification feature appears to have unintentionally provided a backdoor for apps to conduct background data transmission.

The type of data being sent includes unique device signals that can be used for fingerprinting and tracking users across different apps. Fingerprinting is a method of collecting specific information about a device, such as its hardware and software configurations, to create a unique identifier for the user. This identifier can then be used to track the user's activities across different applications, which can then be used for various activities such as targeted advertising.

Apple does not permit fingerprinting and will soon require developers to explicitly state why their apps need access to APIs that are often used for fingerprinting. This move is in line with Apple's efforts to strengthen user privacy, such as the introduction of App Tracking Transparency in iOS 14.5, which requires apps to obtain user permission before tracking their activity across other companies' apps and websites.