Security researcher Tommy Mysk has demonstrated that iPhone push notifications are being used by popular apps to covertly send data about the user, according to MacRumors.
In a new video, he explains how certain iOS apps exploit a feature introduced in iOS 10 designed to allow apps to customize push notifications. This feature, initially intended to enable apps to enrich notifications with additional content or decrypt encrypted messages, has seemingly been repurposed by some developers for more secretive activities.
According to Mysk’s findings, various popular applications, including TikTok, Facebook, Twitter, LinkedIn, and Bing, are using the short background execution time granted for notification customization to send analytics information.
Here’s some more info from Mysk: This video sheds light on a growing practice among data-hungry apps where they use the background execution time allocated by iOS for the purpose of customizing notifications to send app analytics. Many apps do this. We just picked a few for this demo.
Apps on iOS don’t run in the background. iOS doesn’t allow apps to run in the background for a variety of reasons, mostly related to privacy and performance. Although iOS allows apps to run a few background tasks, access to background execution time is very restricted. But starting in iOS 10, iOS added a new feature to allow apps to customize push notifications even if they are not running. iOS wakes the app in the background when it receives a notification and allows the app a limited time to customize the notification before it is presented to the user. This includes decrypting an encrypted payload and downloading additional content to enrich the notification. Once the app hands in the customized notification to the system or the background time allocated runs out, the app is terminated.
This feature is now being widely used by data-hungry apps to send analytics during this background time. The analytics include unique signals about the user’s device that allow for fingerprinting and tracking users across different apps developed by different developers. Apple does not allow fingerprinting. To counter fingerprinting, Apple is going to require developers to declare why their apps need access to required reason APIs, or APIs that provide signals commonly used for fingerprinting.
