Ads and push notifications being used to spy on iPhone users

Both in-app ads and push notifications are being used to identify and spy on iPhone users, according to two separate reports.

The first says that in-app ads are being used to gather data intended to identify your iPhone and send highly sensitive data to security services, while the second found that apps like Facebook and TikTok are using a vulnerability in the way push notifications are handled by iOS to obtain the data for their own use …

The problem of device fingerprinting

When Apple changed the rules, to require apps to seek your permission before tracking you, it wasn’t long before companies started working on a backdoor method of achieving the same thing: Device fingerprinting.

We’ve been drawing attention to this even before App Tracking Transparency went live. Back in 2020, we were already warning that advertisers had developed a workaround.

Ultimately Apple’s latest privacy step won’t make much difference: there’s already a new way for advertisers to track us, and there’s little Apple can do about it: device fingerprinting […]

Whenever you visit a website, your browser hands over a bunch of data intended to ensure that the site displays correctly on your device. A website needs to display itself very differently on an iMac and an iPhone, for example.

As time has gone on, and websites have become more sophisticated, the amount of data your browser hands over has grown. When a website analyses all of the data available to it, things get very specific, very fast.

The aim of device fingerprinting is to try to identify each unique device, assigning to it a device fingerprint. This can then be used to track you in exactly the same way as IDFA.

We pointed to sites you can visit to determine whether your device can be uniquely identified.

Patternz: ‘an ad-based spy tool monitoring billions’

404 Media reports on Patternz, which it describes as “a global phone spy tool monitoring billions [of people].”

Hundreds of thousands of ordinary apps, including popular ones such as 9gag, Kik, and a series of caller ID apps, are part of a global surveillance capability that starts with ads inside each app, and ends with the apps’ users being swept up into a powerful mass monitoring tool advertised to national security agencies that can track the physical location, hobbies, and family members of people to build billions of profiles, according to a 404 Media investigation.

Patternz strikes deals with smaller ad networks, willing to engage in shady practices, to gather the device fingerprints, and to use them to trigger surveillance.

While one example given was of an Android user, the same tactic works through tens of thousands of iPhone apps.

Ton acknowledges that the platform was built as a “homeland security platform.” In other marketing materials online, Patternz pitches itself specifically to “national security agencies.”

At one point in the video, Ton clicks on a particular profile. The next screen shows a wealth of information about that particular device, and by extension, person. It includes a long list of GPS coordinates related to them, with Ton saying location accuracy can be down to a meter; what address those coordinates corresponded to; the person’s frequently visited locations including their home and work address (which for this target is in a hospital nearby, Ton says); the specific apps used by the person (in this case, “Caller ID & Block by CallApp” and “Truecall – Caller ID & Block”); the brand of phone and its operating system (a Samsung running Android 9); and a list of other users that were next to the target when they were at home and at work.

This is done by abusing an online and in-app ad tool known as real-time bidding. The idea behind this is that if you’re a widget maker wanting to sell to iPhone 15 users in the US with an interest in cars, you can compete with other advertisers seeking the same audience. The bidding process reveals how many users are available which match your target audience.

The problem is that the security services can pose as an ad bidder, put in a massively-specific set of target criteria – so specific that it will identify particular individuals – and then obtain a vast amount of sensitive data on that person.

The study identified 61,894 iOS apps being used in this way – without their knowledge. The villain here is the company behind Patternz, not the app developers.

iPhone push notifications being used as a spy tool

Security researchers Mysk found that iPhone push notifications are being abused in a similar way.

iOS provides a way for background apps to send you push notifications.

It works like this: when an app receives a push notification, iOS wakes the app in the background and allows it a limited time to customize the notification before it is presented to the user. This is very helpful for apps to perform tasks related to the notification such as decrypting the notification payload or downloading additional content to further enrich the notification before iOS presents it to the user. And as soon as the app finishes customizing the notification, iOS terminates it.

But Mysk says many apps are abusing this privilege to fingerprint your iPhone.

However, many apps are using this feature as an opportunity to send detailed device information while running quietly in the background. This includes: system uptime, locale, keyboard language, available memory, battery status, device model, display brightness, to mention a few. Such signals are commonly used for fingerprinting and tracking users across different apps developed by different developers. Fingerprinting is strictly prohibited on iOS and iPadOS.

In this case, the developers are the culprits. You can see proof of this in the video below.

Google and Apple respond

Google said it has terminated its relationship with one company using ads as a fingerprinting tool, while Apple has plans to introduce new protections against misuse of push notifications.

Starting Spring 2024, Apple will require developers to declare reasons for using the APIs that return unique device signals, such as the ones commonly used for fingerprinting.

Photo by Dmitry Ratushny on Unsplash