Researchers find that iPhone apps secretly harvest data when they send you notifications
Advertisement: Click here to learn how to Generate Art From Text
iPhone apps including Facebook, LinkedIn, TikTok, and X/Twitter are skirting Apple’s privacy rules to collect user data through notifications, according to tests by security researchers at Mysk Inc., an app development company. This technique circumvents the protection that users use to close apps in order to prevent them from collecting background data. Researchers say that the data is not necessary for processing notifications. It seems to be related with analytics, advertising and tracking users across apps and devices.
It’s par for the course that apps would find opportunities to sneak in more data collection, but “we were surprised to learn that this practice is widely used,” said Tommy Mysk, who conducted the tests along with Talal Haj Bakry. “Who would have known that an innocuous action as simple as dismissing a notification would trigger sending a lot of unique device information to remote servers? It is worrying when you think about the fact that developers can do that on-demand.”
These particular apps aren’t unusual bad actors. According to the researchers, it’s a widespread problem plaguing the iPhone ecosystem.
This isn’t the first time Mysk’s tests have uncovered data problems at Apple, which has spent untold millions convincing the world that “what happens on your iPhone, stays on your iPhone.” In October 2023, Mysk found that a lauded iPhone feature meant to protect details about your WiFi address isn’t as private as the company promises. Apple was hit by a lawsuit in 2022. Over a dozen lawsuits involving class actions after Gizmodo reported on Mysk’s finding that Apple collects data about its users Even after they flip the switch to an iPhone privacy setting that promises to “disable the sharing of device analytics altogether.”
The data looks like information that’s used for “fingerprinting,” a technique companies use to identify you based on several seemingly innocuous details about your device. Fingerprinting circumvents privacy protections to track people and send them targeted ads—and Apple explicitly forbids companies from doing it. Apple products and iPhones have many settings that give you the ability to control how companies collect and identify your data.
Tests showed that, when you interact with an alert from Facebook, your app collects information such as your IP address, how long it has been since your phone restarted, and the amount free memory on your device. Combining data such as these can be used to identify people with high accuracy. The other apps collected similar data. LinkedIn, for example, uses notifications to gather which timezone you’re in, your display brightness, and what mobile carrier you’re using, as well as a host of other information that seems specifically related to advertising campaigns, Mysk said.
Just because an app can collect this info, doesn’t mean that it is using it.
Meta, which owns Facebook, said Mysk’s conclusions are a misinterpretation. “The findings aren’t accurate. People log into our app on their device and provide permission to enable notifications,” said Emil Vazquez, a Meta spokesperson. “We may periodically use this information, even when the app isn’t running, to help us deliver timely, reliable notifications, using Apple’s APIs. This is consistent with our policies.”
LinkedIn released a similar statement. “We are not leveraging notifications as a way to collect member data for advertising or related analytics, cross device or cross app tracking,” a LinkedIn spokesperson said. “Any data related to notifications is only used to confirm that a notification was successfully sent and is never shared externally.” Apple, TikTok, and X/Twitter didn’t immediately answer Gizmodo’s questions for this article.
These details aren’t particularly sensitive compared to things like location data, but they’re valuable for advertising and other purposes. What many people don’t realize is that targeted advertising and other invasions of digital privacy are all about figuring out your identity. Companies know what you’re doing on their apps—but they don’t always know who you are, and data is a lot less useful if you don’t know whose it is. If companies can’t identify you, they can’t target you with ads.
Apple provides a special advertising ID number that’s specifically made to facilitate data collection and targeted ads, but settings such as the iPhone’s “Ask App Not To Track” control block that ad ID. In theory, that’s supposed to stop companies from tying together information about you and your behavior from different apps and other parts of the internet. However, fingerprinting is an easy way to do it anyway.
Apps can collect this kind of data about you when they’re open, but swiping an app closed is supposed to cut off the flow of data and stop an app from running whatsoever. But it seems notifications can be used as a backdoor.
Apple offers special softwareYour apps can send notifications with the help of this tool. Apps may need to download images, text, or sound for some notifications. If the app is closed the iPhone operating systems allows it to wake up briefly so that the app can contact company servers and send you the notification. Mysk discovered that data harvesting occurred during this short window.
“They can intentionally send a notification to a targeted device just so that the app starts in the background and sends back details,” Mysk said. Or if a firm like TikTok wanted to quickly update the IP address of 100,000 people whose apps are closed, a quick notification would be all that was needed. “It’s mind-blowing,” he said.
It’s perfectly reasonable that an app might want to analyze how users interact with notifications in order to optimize its services. However, Mysk said there are a few reasons to think that’s not why apps are collecting this data.
Apple is a great example. gives app developers details about what’s going on with notifications directly, so there’s no need to collect additional information if you know what happened after you pinged your users. Furthermore, a lot of the data that apps are collecting seems unrelated to analyzing how well notifications are working, like your phone’s available disk space or the time since your last reboot, Mysk said.
Other data-hungry firms send notifications without eating all this other information. Mysk discovered that, when he tested Gmail or YouTube, the apps only collected information that was clearly related to processing notification. Mysk stated that if Google is able to send you a message without snooping into other details, then he suspects there are ulterior motives.
There are some innocent explanations that could be given for the notification data problem. For example, developers sometimes leave old code in their apps that performs functions that companies don’t need anymore. It’s theoretically possible that an app like LinkedIn might be set up to collect data that isn’t used for any purposes whatsoever. The researchers, however, said that’s hard to believe.
There’s an upcoming change to the iPhone operating system’s rules that could improve the situation, but it’s not clear whether it will solve the problem. App developers will have to comply with new rules starting in Spring 2024. Required to explain why and how they’re using certain “APIs,” which, in this context, are essentially pieces of software that apps use to communicate with each other and the iPhone operating system.
In theory, that might force companies to disclose why they’re keeping tabs on you—and if they’re collecting data for illegitimate purposes, maybe they’ll have to stop. “The bad news is that it is unclear how Apple is going to enforce it,” Mysk said.
Apple is one of those companies that you may have heard tell lies. doesn’t have a stellar track recordEnforcing similar rules.