Back in December, we learned that governments and law enforcement agencies are able to spy on your smartphone activity by requesting your push notification data from Apple or Google. Very cool and unconcerning! But as it turns out, it's not just the authorities who can scrape your push notification data: Apps do it too, without you ever opening said app in the first place. But you can put a stop to it.
How apps spy on you through your push notifications
As security research duo Mysk explains in this video, apps are taking advantage of a loophole in iOS push notifications to scrape personal data on your iPhone and send it back to remote servers. Here how it works: iOS allows apps to wake in the background when push notifications come through in order to allow the app to decrypt the payload (the message contained in the notification), or download data attached to the alert. But according to Mysk, many "data-hungry" apps use this as an opportunity to send data analytics to their servers, rather than just make network calls to customize the notification, as would reportedly be expected.
Aside from being a sketchy practice, this abuse of push notification downtime can actually be used to "fingerprint" (that is, track) users. Mysk demonstrates how when a TikTok notification comes through, the app immediately sends off data analytics. When Mysk clears the notification, TikTok sends more data, including system uptime (how long iOS has been up and running on your iPhone). That means TikTok can see how long it's been since you restarted your iPhone, even though you never actually opened the app.
Something similar happens with Facebook, X, LinkedIn, and Bing notifications: When Mysk clears these alerts, the app scrape the iPhone's uptime, in addition to other device information. As explained in a post on X, other device data includes locale (your device's language settings), keyboard language, available memory, battery status, device model, and display brightness, among others. Theoretically, Mysk says, this data can be used to track a user's activities across iOS without you ever actually opening the app involved.
How to stop apps from tracking your activity through push notifications
At this time, the only known solution is the most obvious: disable push notifications for all apps. It's the same solution we offerd when we learned law enforcement agencies and governments are able to request user push notification data from Apple and Google: simply cut off access to the data these companies want so badly.
Of course, that's easier said than done. Notifications can be useful, especially with messaging apps that let you know when a new text has come through. Disabling push notifications for these apps puts you at risk of falling far behind in group threads and personal chats, which defeats much of the purpose of carrying a smartphone in the first place.
That means it's really up to you: what level of data tracking can you tolerate? My recommendation is to disable notifications for any and every app you can afford to. I keep Snapchat notifications turned off at all times, for example, because I'm fine manually checking the app for new snaps (an added benefit: I cannot stand the obnoxious and irrelevant notifications Snapchat loves to spam me with, and no I don't get them). I keep notifications enabled for my messaging apps, because even if Meta is scraping my data, I don't want to miss new alerts from friends and family.
Hopefully Apple will address this privacy and security flaw soon, and block apps from being able to leach this information whenever a push notification comes through. Until then, our only option is to block these apps from alerting us at all.