Some of the most popular iOS apps appear to circumvent Apple’s terms of service by collecting sensitive information about the devices they are installed on.
According to the researcher who discovered the practice, this is a big problem because the app providers can use this data to profile and then track their users, which is a big no-no for Apple.
As explained by Mysk on X, Apple with iOS 10 allowed mobile apps to run in the background to process push notifications and display them later. Once the process is complete, the apps will be suspended again and terminated later for better performance and security. But during this short period, some apps were observed collecting sensitive device data. That includes system uptime, locale, keyboard language, available memory, battery status, storage usage, device model, and screen brightness. All this, Mysk argues, can be used to fingerprint (profile) users and track them later.
Apple’s move
“Our testing shows that this practice is more common than we expected. The frequency with which many apps send device information after being triggered by a notification is staggering,” Mysk’s X-post said.
There are apparently many apps abusing the privilege of offering push notifications to mobile users, including TikTok, Facebook, Twitter, LinkedIn and Bing, the researcher said in a study. demo video posted on YouTube.
In his writing, BleepingComputer contacted Mysk, who confirmed that Apple plans to end this practice within a few months.
Apparently, Apple will tighten restrictions on the use of APIs for device signals in the near future and require app developers to explain exactly why they need to use APIs that could lead to user profiling. Developers who do not provide a satisfactory response will be denied access to the App Store.
In the meantime, if you’re worried about being profiled by Facebook and the gang, make sure you disable push notifications completely.
The companies mentioned in the report have not yet responded to Mysk’s findings.