Numerous iOS apps have been found to use background processes triggered by push notifications to collect user data about devices. This practice allows for the creation of fingerprinting profiles used for tracking. According to mobile researcher Mysk, these apps bypass Apple’s background app activity restrictions and pose a privacy risk for iPhone users. Apple’s App Store review guidelines explicitly prohibit apps from surreptitiously building user profiles based on collected data.
Mysk discovered that this practice is widespread and involves many apps with a considerable user base. Despite Apple’s design of iOS to prevent apps from running in the background, a new system was introduced in iOS 10 that allows apps to launch quietly in the background to process push notifications.
Mysk found through testing that many apps abuse this feature by transmitting data about a device back to their servers when triggered by a notification. This data includes system uptime, locale, keyboard language, available memory, battery status, storage use, device model, and display brightness. The researcher believes that this data can be used for fingerprinting and user profiling, allowing for persistent tracking, which is strictly prohibited in iOS.
Apple has announced that starting in Spring 2024, apps will be required to declare precisely why they need to use APIs that can be abused for fingerprinting. If apps do not properly declare their use of these APIs and their purpose, they will be rejected from the App Store.
To mitigate the issue, iPhone users who want to evade this fingerprinting should disable push notifications entirely. Unfortunately, making notifications silent will not prevent abuse. Additionally, Apple has updated their transparency reporting after revelations that governments were requesting push notification records sent through their servers as a way to spy on users.
