Security News > 2024 > January > iPhone apps abuse iOS push notifications to collect user data
Numerous iOS apps are using background processes triggered by push notifications to collect user data about devices, potentially allowing the creation of fingerprinting profiles used for tracking.
"Apps should not attempt to surreptitiously build a user profile based on collected data and may not attempt, facilitate, or encourage others to identify anonymous users or reconstruct user profiles based on data collected from Apple-provided APIs or any data that you say has been collected in an 'anonymized,' 'aggregated,' or otherwise non-identifiable way," reads a section of Apple App Store review guidelines.
After analyzing what data is sent by iOS background processes when receiving or clearing notifications, Mysk found that the practice was far more prevalent than previously thought, involving many apps with a considerable user base.
In iOS 10 Apple introduced a new system that allows apps to quietly launch in the background to process new push notifications before the device displays them.
The system allows apps that receive push notifications to decrypt the incoming payload and download additional content from their servers to enrich it before it's served to the user.
Through testing, Mysk found that many apps abuse this feature, treating it as a window of opportunity to transmit data about a device back to their servers.