In December, it was revealed that not only governments and law enforcement agencies but also certain mobile applications have the capability to access your smartphone activity by exploiting a vulnerability in iOS push notifications. This practice has raised concerns about privacy and data security. These apps take advantage of the iOS feature that allows them to run in the background when push notifications arrive, enabling them to extract and send personal data to remote servers without the user ever opening the app.
This method is not only ethically questionable but can also be used for user tracking, commonly referred to as "fingerprinting." For instance, when receiving a TikTok notification, the app immediately sends data analytics to its servers. Even after the notification is cleared, TikTok continues to scrape data, including system uptime, which indicates how long iOS has been running on the user's iPhone. Similar data extraction processes occur with other apps like Facebook, X, LinkedIn, and Bing, collecting information such as device locale, keyboard language, available memory, battery status, device model, and display brightness. The potential use of this data is to track a user's activities across iOS without requiring them to open the respective apps.
Beyond push notifications, fingerprinting extends to collecting various device-related data points, such as the user's IP address, screen resolution, device language, browser configuration, and installed fonts. These diverse data elements enable apps to construct digital fingerprints distinguishing individual users, often without their explicit consent.
Fingerprinting facilitates the perpetual surveillance of user activities across iOS devices, enabling the creation of extensive user profiles. These profiles encompass a wide spectrum of a user's digital existence, including their browsing habits and app usage patterns. This data reservoir is exploited for targeted advertising, comprehensive analytics, or sale to third parties, posing a substantial threat to user privacy.
The surreptitious nature of fingerprinting leaves users largely uninformed about the extent of personal data collection. This lack of transparency and consent raises ethical concerns and erodes trust in app providers.
Unauthorized collection and transmission of personal data introduce vulnerabilities in data security. Users' sensitive information becomes susceptible to data breaches, exposing them to potential cyber-attacks and the machinations of malicious actors.
Raising user awareness about the potential risks associated with fingerprinting is pivotal. Encouraging users to review app permissions and privacy settings empowers them to make informed decisions regarding their data.
Apple plays a pivotal role in addressing fingerprinting practices by implementing stricter app review processes and enhancing privacy safeguards. Developers are expected to adhere to Apple's guidelines, with the company retaining the authority to take punitive measures against apps found engaging in harmful practices.
Government and regulatory bodies can contribute substantially by enacting and enforcing more stringent privacy regulations. These regulations would mandate that app developers secure explicit user consent and provide transparent data usage policies.
The practice of iOS apps tracking users through fingerprinting presents significant concerns in the digital landscape. Achieving a harmonious equilibrium between app functionality and user privacy is paramount. While fingerprinting may have legitimate use cases, its implementation must prioritize transparency and obtain user consent. Addressing this issue is imperative for preserving trust and upholding the protection of personal data in an increasingly interconnected world.
To safeguard your privacy from such intrusive practices, the most straightforward solution is to disable push notifications for all apps. However, this may not be practical for certain apps, such as BlueSky, particularly messaging applications that rely on notifications for real-time communication. The decision ultimately lies with the user, who must determine their comfort level regarding data tracking. Some users may choose to disable notifications for non-essential apps to mitigate data privacy risks while ensuring essential communication apps remain active.
It is hoped that Apple will address this privacy and security concern promptly by implementing measures to prevent apps from exploiting push notifications for data extraction. Until such improvements are made, users have the option to restrict notifications from certain apps to mitigate potential privacy breaches.
We note that our BlueSky Risk Intelligence app does not utilize any form of fingerprint tracking and our team does not track, collect or view any client data from their devices. If you have any concerns in regards to the above and BlueSky, please do not hesitate to reach out to your BlueSky representative for more information.