Menu
EN

TikTok, Meta, X, and others exploit push notifications on iOS to collect data about users

Apple has long said that fingerprinting — tracking a user through the hardware and software features of their device — is not allowed. But apparently some popular apps have found a backdoor that they are exploiting in plain sight.

Privacy researcher Tommy Mysk has discovered that a number of popular iOS apps are using a push notification feature, first introduced in 2016, to send detailed data about the user’s device to their companies’ servers.

Mysk explained that he noticed this disturbing and seemingly persistent pattern when he examined several social media apps, including TikTok, Facebook, FB Messenger, Instagram, Threads, and X. All of these apps took advantage of the feature that allowed them to customize their push notifications even when not running.

This feature is not intrinsically malicious and serves an important purpose. For example, it can be useful for apps that need to decode the notification payload or download additional content to best present the notification to the user. When an app receives a push notification, iOS signals the app to wake up and run for a short time. During this time, the app can do whatever the developer wants, including tweaking the push notification’s appearance in some way. The latter would be the original purpose of the feature, but the problem is that the app may also be collecting data or sending information about the user during that time.

Mysk has observed that the apps he has studied have learned to take full advantage of this limited run time to collect data from the device and send that data to remote servers. The researcher calls the ability to run code in the background “a gold mine for data-hungry apps.”

So how does it all work, according to Mysk?

  • The app developer comes up with a code they want the app to run in the background
  • The developer sends a push notification to the user of the app. The push can be about anything, from a news update, a live sports score to a new friend request
  • The user’s device receives the push notification, but does not show it on the screen yet. iOS recognizes that the push notification is from the social app and wakes it up in the background. The app is now running, but the user can’t see it or interact with it
  • The app runs the code that the developer has prepared in the background. And while it may be innocuous, for example, be used to add more information, such as images, to the notification, it can also be used to harvest data from the user’s device and send that data to the developer’s servers

This scheme can provide developers with a unique combination of the software and hardware characteristics of the user’s device.

Many apps are using this feature as an opportunity to send detailed device information while running quietly in the background. This includes: system uptime, locale, keyboard language, available memory, battery status, device model, display brightness, to mention a few.

This data can subsequently be used to track the user across applications, Mysk points out.

What data is being collected?

In the video describing the examples of such trickery, Mysk shows the types of data that can be collected by social media companies through the push notification loophole. The collection is done either through the company’s own services or with the help of third-party tools, such as Google’s analytics tools — Google Analytics and Firebase.

TikTok

With TikTok, for example, the app sends the iPhone’s boot time to the remote servers every time it receives a push notification.

TikTok sends a lot of data to external servers

That means that TikTok knows exactly when the user last restarted their iPhone. If collected over a period of time, the boot time can tell how often the user reboots their iPhone, which can indicate how much they use it or how stable it is. It can be also used to identify the user’s device or track their activity.

When the Facebook app sends a push notification to the same device, Facebook receives the same data about the user’s iPhone last boot time.

Facebook

As the researcher notes, this may facilitate tracking the user across different apps. That is because the boot time can be used as a unique identifier for the user’s device. If the same device has multiple apps that collect and send the boot time to the same or different servers, these servers can compare the boot time data and link it to the same device. This way, they can track the user’s behavior and preferences across different apps, even if the user does not use the same account or login information for each app. All of this makes the exploitation of the push notification feature by social media companies a legitimate privacy threat.

Moreover, Mysk notes that some apps, for example Facebook and TikTok, also send data when clearing their notifications in Notification Center, which is an iOS feature that provides an overview of alerts from applications.

For example, when a user clears a Facebook notification, the app sends a request with detailed information, including the information about available memory, the last app event, such as liking a post, the time since last app event, the actor ID, that identifies the user’s account on Facebook, the preferred content size, the timestamp (i.e. the exact date and time) when the notification was cleared, the connection type, and so forth.

When a user clear a Facebook notification, the app sends detailed information about the user to the external servers

Twitter (X) handles the collection of the user’s information more or less the same way as Facebook and TikTok do.

X/Twitter

All three companies are using Firebase, a service offered by Google, Mysk notes, adding that “the frequency at which many apps send device information after being triggered by a notification is mind-blowing.”

New Apple rule for devs: what will they change?

Mysk pins a lot of hopes on the new rules for developers that Apple has put in place and that will come into effect this spring. As it unveiled the rules, Apple announced that developers would need to explain why their apps have to use certain APIs (Application Programming Interfaces), which are methods for different apps to communicate and share data.

The developers will have to explain why they need to access device information not only for their own code, but also for third-party SDKs (software development kits) that they add to their apps. Both apps and third-party SDKs will need to write one or more “approved reasons” for why they need to access device information through specific APIs in separate documents called “privacy manifest files.” These reasons should be “consistent with the app’s functionality.” We wrote a detailed review of Apple’s new requirement for developers in August — check it out here.

But the question is, will it stop companies from harvesting data from apps through the push notification backdoor? In theory, it should, but only if Apple seriously enforces these rules and monitors developers’ compliance. Which is by no means guaranteed.

We believe that the new rules will improve the situation, but by how much? It is a difficult question with many variables. Developers will have to take the new rules into account, so there’s a chance they’ll try to follow them in good faith. However, those who are hell-bent on continuing to collect this data will likely choose to take risks. And then it’ll be up to Apple and its reviewers to catch these apps in the act.

In any case, we hope Apple takes a proactive and transparent approach to privacy enforcement, or users’ data will continue to be at risk.

Liked this post?
By downloading the comments you agree the terms and policies

AdGuard for Windows

AdGuard for Windows is more than an ad blocker. It is a multipurpose tool that blocks ads, controls access to dangerous sites, speeds up page loading, and protects children from inappropriate content.
User Reviews: 12827
4.7 out of 5
By downloading the program you accept the terms of the License agreement
Read more

AdGuard for Mac

AdGuard for Mac is a unique ad blocker designed with macOS in mind. In addition to protecting you from annoying ads in browsers and apps, it shields you from tracking, phishing, and fraud.
User Reviews: 12827
4.7 out of 5
By downloading the program you accept the terms of the License agreement
Read more

AdGuard for Android

AdGuard for Android is a perfect solution for Android devices. Unlike most other ad blockers, AdGuard doesn't require root access and provides a wide range of app management options.
User Reviews: 12827
4.7 out of 5
By downloading the program you accept the terms of the License agreement

AdGuard for iOS

The most advanced ad blocker for Safari: it makes you forget about pop-up ads, speeds up page loading, and protects your personal data. A manual element-blocking tool and highly customizable settings help you tailor the filtering to your exact needs.
User Reviews: 12827
4.7 out of 5
By downloading the program you accept the terms of the License agreement

AdGuard Browser Extension

AdGuard is the fastest and most lightweight ad blocking extension that effectively blocks all types of ads on all web pages! Choose AdGuard for the browser you use and get ad-free, fast and safe browsing.
User Reviews: 12827
4.7 out of 5

AdGuard for Safari

Ad blocking extensions for Safari are having hard time since Apple started to force everyone to use the new SDK. AdGuard extension is supposed to bring back the high quality ad blocking back to Safari.
User Reviews: 12827
4.7 out of 5
App Store
Download
By downloading the program you accept the terms of the License agreement

AdGuard Home

AdGuard Home is a network-wide software for blocking ads & tracking. After you set it up, it’ll cover ALL your home devices, and you don’t need any client-side software for that. With the rise of Internet-Of-Things and connected devices, it becomes more and more important to be able to control your whole network.
User Reviews: 12827
4.7 out of 5

AdGuard Content Blocker

AdGuard Content Blocker will eliminate all kinds of ads in mobile browsers that support content blocker technology — namely, Samsung Internet and Yandex.Browser. While being more limited than AdGuard for Android, it is free, easy to install and still provides high ad blocking quality.
User Reviews: 12827
4.7 out of 5
By downloading the program you accept the terms of the License agreement
Read more

AdGuard Assistant

A companion browser extension for AdGuard [desktop apps](/en/products.html). It offers an in-browser access to such features as custom element blocking, allowlisting a website or sending a report.
User Reviews: 12827
4.7 out of 5
Assistant for Chrome Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Firefox Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Edge Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Opera Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Yandex Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Safari Is it your current browser?
If you can't find your browser, try the old legacy Assistant version, which you can find in AdGuard extension settings.

AdGuard Temp Mail β

A free temporary email address generator that keeps you anonymous and protects your privacy. No spam in your main inbox!
User Reviews: 12827
4.7 out of 5

AdGuard for Android TV

AdGuard for Android TV is the only app that blocks ads, guards your privacy, and acts as a firewall for your Smart TV. Get warnings about web threats, use secure DNS, and benefit from encrypted traffic. Relax and dive into your favorite shows with top-notch security and zero ads!
User Reviews: 12827
4.7 out of 5
Downloading AdGuard To install AdGuard, click the file indicated by the arrow Select "Open" and click "OK", then wait for the file to be downloaded. In the opened window, drag the AdGuard icon to the "Applications" folder. Thank you for choosing AdGuard! Select "Open" and click "OK", then wait for the file to be downloaded. In the opened window, click "Install". Thank you for choosing AdGuard!
Install AdGuard on your mobile device