iPhone apps including Facebook, LinkedIn, TikTok, and X/Twitter are skirting Apple’s privacy rules to collect user data through notifications, according to tests by security researchers at Mysk Inc., an app development company. Users sometimes close apps to stop them from collecting data in the background, but this technique gets around that protection. The data is unnecessary for processing notifications, the researchers said, and seems related to analytics, advertising, and tracking users across different apps and devices. Some of the companies involved said these findings are inaccurate.
It’s par for the course that apps would find opportunities to sneak in more data collection, but “we were surprised to learn that this practice is widely used,” said Tommy Mysk, who conducted the tests along with Talal Haj Bakry. “Who would have known that an innocuous action as simple as dismissing a notification would trigger sending a lot of unique device information to remote servers? It is worrying when you think about the fact that developers can do that on-demand.”
These particular apps aren’t unusual bad actors. According to the researchers, it’s a widespread problem plaguing the iPhone ecosystem. However, spokespeople for Meta and LinkedIn categorically denied the data is used for advertising or other inappropriate purposes. A LinkedIn spokesperson said the data is only used to ensure notifications work properly, and the company follows all of Apple’s developer guidelines. Apple, TikTok, and X/Twitter didn’t immediately answer Gizmodo’s questions for this article.
This isn’t the first time Mysk’s tests have uncovered data problems at Apple, which has spent untold millions convincing the world that “what happens on your iPhone, stays on your iPhone.” In October 2023, Mysk found that a lauded iPhone feature meant to protect details about your WiFi address isn’t as private as the company promises. In 2022, Apple was hit with over a dozen class action lawsuits after Gizmodo reported on Mysk’s finding that Apple collects data about its users even after they flip the switch on an iPhone privacy setting that promises to “disable the sharing of device analytics altogether.”
The data looks like information that’s used for “fingerprinting,” a technique companies use to identify you based on several seemingly innocuous details about your device. Fingerprinting circumvents privacy protections to track people and send them targeted ads—and Apple explicitly forbids companies from doing it. iPhones and other Apple products have many settings and rules in place that are supposed to give you control over when companies can identify you and collect data.
For example, the tests showed that when you interact with a notification from Facebook, the app collects IP addresses, the number of milliseconds since your phone was restarted, the amount of free memory space on your phone, and a host of other details. Combining data like these is enough to identify a person with a high level of accuracy. The other apps in the test collected similar information. LinkedIn, for example, uses notifications to gather which timezone you’re in, your display brightness, and what mobile carrier you’re using, the test showed. Mysk said LinkedIn also collects a host of other information that seems specifically related to advertising campaign (a LinkedIn spokesperson called this inaccurate.) It’s worth noting that just because an app can collect this info, doesn’t mean that it is using it.
“We are not leveraging notifications as a way to collect member data for advertising or related analytics, cross device or cross app tracking,” a LinkedIn spokesperson said. “Data that is collected is only used to confirm that a notification was successfully sent and, on a transient basis, to queue the app experience in case the member chooses to launch the app in response to the notification never shared externally.” The spokesperson said the data is never shared externally.
Meta, which owns Facebook, shared a similar statement. “The findings aren’t accurate. People log into our app on their device and provide permission to enable notifications,” said Emil Vazquez, a Meta spokesperson. “We may periodically use this information, even when the app isn’t running, to help us deliver timely, reliable notifications, using Apple’s APIs. This is consistent with our policies.”
These details aren’t particularly sensitive compared to things like location data, but they’re valuable for advertising and other purposes. What many people don’t realize is that targeted advertising and other invasions of digital privacy are all about figuring out your identity. Companies know what you’re doing on their apps—but they don’t always know who you are, and data is a lot less useful if you don’t know whose it is. If companies can’t identify you, they can’t target you with ads.
Apple provides a special advertising ID number that’s specifically made to facilitate data collection and targeted ads, but settings such as the iPhone’s “Ask App Not To Track” control block that ad ID. In theory, that’s supposed to stop companies from tying together information about you and your behavior from different apps and other parts of the internet. But fingerprinting is a sneaky way to keep doing it anyway.
Apps can collect this kind of data about you when they’re open, but swiping an app closed is supposed to cut off the flow of data and stop an app from running whatsoever. However, it seems notifications provide a backdoor.
Apple provides special software to help your apps send notifications. For some notifications, the app might need to play a sound or download text, images, or other information. If the app is closed, the iPhone operating system lets the app wake up temporarily to contact company servers, send you the notification, and perform any other necessary business. The data harvesting Mysk spotted happened during this brief window.
“They can intentionally send a notification to a targeted device just so that the app starts in the background and sends back details,” Mysk said. Or if a company like TikTok or X/Twitter wanted a quick update on the IP addresses of 100,000 people who have their apps closed, one quick notification is all it would take. “It’s mind-blowing,” he said.
It’s perfectly reasonable that an app might want to analyze how users interact with notifications in order to optimize its services. However, Mysk said there are a few reasons to think that’s not why apps are collecting this data.
For one, Apple gives app developers details about what’s going on with notifications directly, so there’s no need to collect additional information if you know what happened after you pinged your users. Furthermore, a lot of the data that apps are collecting seems unrelated to analyzing how well notifications are working, like your phone’s available disk space or the time since your last reboot, Mysk said.
Beyond that, other data-hungry companies are sending notifications without feasting on all of this other information. When Mysk tested Gmail and YouTube, for example, the apps only collected data that was obviously related to processing notifications. Mysk said if a company like Google can send you a notification without snooping on other details, that suggests there are ulterior motives for the data collection he spotted.
There are a few potentially innocent explanations for the notifications data problem. For example, developers sometimes leave old code in their apps that performs functions that companies don’t need anymore. It’s theoretically possible that an app like LinkedIn might be set up to collect data that isn’t used for any purposes whatsoever. The researchers, however, said that’s hard to believe.
There’s an upcoming change to the iPhone operating system’s rules that could improve the situation, but it’s not clear whether it will solve the problem. Starting in Spring 2024, app developers will be required to explain why and how they’re using certain “APIs,” which, in this context, are essentially pieces of software that apps use to communicate with each other and the iPhone operating system.
In theory, that might force companies to disclose why they’re keeping tabs on you—and if they’re collecting data for illegitimate purposes, maybe they’ll have to stop. “The bad news is that it is unclear how Apple is going to enforce it,” Mysk said.
Unfortunately, you might have heard that big companies sometimes tell lies, which would get in the way of that solution, and Apple doesn’t have a stellar track record of enforcing similar rules.
Update, 3:16 p.m.: This story has been updated with additional comments from LinkedIn.