31st January 2024 – (New York) Security research from Mysk Inc. suggests a cohort of popular iPhone applications, including the likes of Facebook, LinkedIn, TikTok, and others, have been exploiting a loophole to amass user data in defiance of Apple’s stringent privacy protocols. This practice occurs when users interact with or dismiss notifications, a time when data collection should ostensibly be at a standstill.
Apple, renowned for championing user privacy, provides applications the tools to send notifications, which include the ability to perform background activities for a limited period. Researchers allege that during this window, data extraneous to the notification’s intent is being harvested, potentially for user tracking and advertising analytics—a method known as fingerprinting. This technique combines various device metrics to identify users uniquely.
Meta, Facebook’s parent company, and LinkedIn have countered these allegations. Meta’s Emil Vazquez insists that the data usage aligns with delivering notifications as permitted by Apple’s policies, while LinkedIn asserts that notification data is exclusively for ensuring successful delivery and not for external sharing or advertising-related analysis.
The discovery by Mysk Inc. casts a shadow over the effectiveness of Apple’s privacy features, raising concerns about the potential misuse of such data. This situation is not the first instance of privacy issues associated with Apple’s features uncovered by Mysk.
As the digital landscape continually evolves, the tug-of-war between user privacy and data collection rages on. With an impending policy change by Apple that will demand developers to clarify their usage of software interfaces, the enforcement of these guidelines is under scrutiny. Whether this will stem the tide of surreptitious data collection remains to be seen.
The researchers’ tests showed that notification interactions trigger the collection of a gamut of information—from IP addresses to device memory space—information that appears tangential to the notification’s function. While this data might not seem sensitive on the surface, it is a goldmine for targeted advertising and profiling, as it can be pieced together to form detailed user identities.
Despite the provision of an advertising ID by Apple designed to facilitate targeted advertising, features such as “Ask App Not To Track” are supposed to prevent the correlation of user data across different apps and platforms. However, the practice of fingerprinting seems to be an underhanded method to continue piecing together user profiles.
The ability of apps like Gmail and YouTube to send notifications without hoarding additional information suggests that the data collection observed by Mysk Inc. may have motives beyond service optimization. This discrepancy raises suspicion about the true intent behind gathering such data.
While developers might inadvertently collect data due to legacy code, the researchers at Mysk find this explanation implausible given the systematic nature of the data collection observed.
The upcoming policy changes by Apple, slated for spring 2024, intend to address these issues by requiring developers to disclose the purposes behind their use of certain software interfaces. However, questions linger about Apple’s commitment to enforcing these rules, especially in light of the company’s past enforcement record.