Numerous iOS apps are utilizing background processes triggered by push notifications to gather user data, potentially enabling the creation of fingerprinting profiles for tracking purposes. This practice, discovered by mobile researcher Mysk, circumvents Apple’s background app activity restrictions and raises privacy concerns for iPhone users. Apple App Store guidelines explicitly state that apps should not attempt to build user profiles based on collected data, emphasizing user anonymity. Despite Apple’s design to prevent apps from running in the background, a system introduced in iOS 10 allows apps to quietly launch and process push notifications, which some apps exploit to send device data to their servers.
Mysk’s research revealed that this data transmission during push notification events is more widespread than initially thought, involving numerous apps with a substantial user base. The collected data includes details such as system uptime, locale, keyboard language, memory availability, battery status, storage usage, device model, and display brightness. This information, transmitted by various apps like TikTok, Facebook, Twitter, LinkedIn, and Bing, is sent to servers using services like Google Analytics, Firebase, or proprietary systems. Apple plans to address this issue in Spring 2024 by requiring apps to declare precisely why they need to use APIs vulnerable to fingerprinting, with non-compliant apps facing rejection from the App Store.
The privacy concern arises from apps treating the background process during push notifications as an opportunity to transmit device data surreptitiously. Apple’s forthcoming restrictions aim to curb this abuse, requiring apps to transparently declare their use of APIs susceptible to fingerprinting and specifying their purpose. Until these measures are implemented, users concerned about fingerprinting are advised to disable push notifications entirely. Although making notifications silent won’t prevent abuse, disabling them through iPhone settings can mitigate the risk. This revelation adds to the growing challenges of protecting user privacy in the evolving landscape of mobile applications.
