Some time ago, I wrote about Apple spilling the tea on government agencies requesting notification data. While that information was given up by Apple by request, companies have been getting it secretly.
A security research named Tommy Mysk has provided evidence that our push notifications are sending identifiable information through apps.
In the video, he demonstrates how apps like Facebook, TikTok, Twitter, LinkedIn, and Bing are using an iOS feature to collect the data. The feature was introduced in iOS 10 to allow apps to run a bit of code to customize notifications. The apps mentioned earlier use that code execution to get data about you and your phone.
This move is not permitted by Apple in anyway. Apple does go out of its way to catch when apps are collecting data. With iOS 14.5, it introduced App Tracking Transparency. That was put in place to ask users if they would like their data to be collected. This workaround seems to circumvent that question and allows companies to collect the data anyway.
It’s bad enough that it is being used by apps that would no doubt love to serve you ads, imagine if a malicious actor did it. They make an innocent looking app to get through the review process. After it gets approved, people begin downloading the app and things start happening through the notifications.
Hopefully, now that this is out, Apple can fix it or at least be aware that this is happening and block apps that abuse it.