iPhone Apps Secretly Harvest Data When They Send You Notifications

[Wolf Greenblatt]

https://gizmodo.com/iphone-apps-can-harvest-data-from-notifications-1851194537

iPhone apps are skirting Apple's privacy rules to collect user data through
notifications, according to tests by security researchers at Mysk Inc., an
app development company.

Users sometimes close apps to stop them from collecting data in the
background, but this technique gets around that protection.

The data is unnecessary for processing notifications, the researchers said,
and seems related to analytics, advertising, and tracking users across
different apps and devices.

"Who would have known that an innocuous action as simple as dismissing a
notification would trigger sending a lot of unique device information to
remote servers? It is worrying when you think about the fact that
developers can do that on-demand."

According to the researchers, it's a widespread problem plaguing the iPhone
ecosystem.

[Alan Browne]

If that is an issue, then they would not be in compliance with Apple's
rules and as such could have their apps withdrawn until fixed.
Hopefully Apple come down on them hard.

--
“Markets can remain irrational longer than your can remain solvent.”
- John Maynard Keynes.

[Frankie]

On 27/1/2024, Alan Browne wrote:

> Hopefully Apple come down on them hard.

I agree with you as the articles I saw said the frequency at which many iOS
apps collect device information is "mind-blowing" so Apple should put a
stop to it as they said the practice goes against Apple's terms of service.
(https://www.techradar.com/pro/security/some-of-the-most-popular-iphone-apps-are-stealing-your-data-using-ios-push-notifications)

[Jolly Roger]

Apple's on record stating they are addressing this:

<https://www.bleepingcomputer.com/news/security/iphone-apps-abuse-ios-push-notifications-to-collect-user-data/>
---
Mitigating the issue

Apple will plug the gap and prevent further abuse of push notification
wake-ups by tightening restrictions on using APIs for device signals.

Mysk told BleepingComputer that starting in Spring 2024, apps will be
required to declare precisely why they need to use APIs that can be
abused for fingerprinting.

These APIs are used to retrieve information about a device, such as its
disk space, system boot time, file timestamps, active keyboards, and
user defaults.

If apps do not properly declare their use of these APIs and what they
are being used for, Apple says that they will be rejected from the App
Store.
---

Also for some perspective, it's perfectly normal for apps to gather some
details about devices during operation, and a lot of that information is
legitimately needed by app developers. In this case, this is the type of
data that is being transmitted during notification processing:

---
Depending on the app, this includes:
* system uptime
* locale
* keyboard language
* available memory
* battery status
* storage use
* device model
* display brightness
---

Apple reportedly will be requiring app developers to provide
justification for collecting this data, and if a developer fails to meet
this requirement, their app will not be approved for the App Store.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR