App Researchers Discover Stealthy Data Collection by iPhone Apps during Notification Sending
In a recent investigation, security researchers at Mysk Inc. discovered that popular iPhone apps, including Facebook, LinkedIn, TikTok, and Twitter, are collecting user data through notifications. However, it's important to note that as of now, there is no publicly available evidence or report confirming that iPhone apps are circumventing Apple's privacy rules by collecting user data through notifications.
According to Mysk, the data collection might not be solely for analyzing notification performance. Instead, the data seems unrelated and appears to be used for analytics, advertising, and tracking users across different apps and devices. This raises concerns about user privacy, especially since Apple provides app developers with detailed information about notifications, reducing the need for additional data collection.
Some apps might collect additional data during the brief window when the app wakes up to send notifications. This could potentially involve collecting data such as IP addresses, the number of milliseconds since the phone was restarted, and the amount of free memory space.
Not all apps are found to be engaging in this practice. Google's Gmail and YouTube apps, for instance, only collect data related to processing notifications.
Several companies involved in the investigation, such as Meta (Facebook) and LinkedIn, have denied using the data for advertising or inappropriate purposes. LinkedIn, for example, uses notifications to gather which timezone a user is in, display brightness, and mobile carrier information, all of which are necessary for delivering notifications effectively.
Apple has faced a number of class action lawsuits due to similar findings in the past. In 2022, the company faced over a dozen lawsuits due to Mysk's findings that Apple collects data even after users turn off certain privacy settings.
Starting in Spring 2024, app developers will be required to explain why and how they're using certain APIs. This requirement might force companies to disclose why they're collecting data, potentially stopping illegitimate data collection.
It's worth noting that Apple has a questionable track record in enforcing similar rules. In October 2023, Mysk's tests uncovered data problems at Apple regarding a feature meant to protect WiFi address privacy.
Meta and LinkedIn have shared similar statements, stating that the findings are inaccurate and that they use notifications to help deliver timely, reliable notifications, using Apple's APIs.
As the investigation continues, it's crucial for users to stay informed and take necessary steps to protect their privacy. This includes regularly reviewing app permissions and understanding what data each app is collecting.
- Gizmodo reported that the investigation by Mysk Inc. revealed that some tech giants like Facebook, LinkedIn, TikTok, and Twitter collect user data through notifications, but no evidence confirms iPhone apps circumventing Apple's privacy rules.
- The data collection by apps like Facebook and LinkedIn seems to be used for purposes beyond analyzing notification performance, such as analytics, advertising, and tracking users across different apps and devices.
- In addition to collecting data during the notification process, some apps, such as those that have been under scruiny, might collect extra data when the app wakes up to send notifications, potentially including IP addresses, system information, and memory space.
- businesses like Google, with apps like Gmail and YouTube, only collect data related to processing notifications, unlike some other companies such as Meta (Facebook) and LinkedIn, who are accused of using data for advertising or inappropriate purposes, but have denied these claims.
