It’s been a remarkable week in the realm of smartphone user privacy and security. Specifically, two inquiries have exposed concerning privacy matters linked to smartphone advertising and iOS’ notification system.
First, an exhaustive inquiry by 404 Media revealed that a company named Patternz is exploiting the ad delivery system on smartphones to draw out information through apps and subsequently forward it to bidders.
According to the report, Patternz is a “covert spy tool that can monitor billions of phone profiles through the advertising industry.” Patternz utilizes a channel in prevalent apps like 9Gag, in addition to popular caller ID apps, to conduct its malevolent tasks.Patternz allegedly informed its clients that it can supervise almost any app that is capable of running ads.
The CEO of the company explains that once the tool, which covers over half a million apps, is deployed, the phone becomes an “in effect tracking bracelet.” According to a damning research paper, it profiles over a staggering 5 billion users and sells the information to clients in the real-time bidding (RTB) market. This is an issue that can impact users of both iPhone and Android devices.
ISA, the surveillance company behind Patternz, retrieves this data from RTB operators like Google and X, formerly known as Twitter. The data it sells can encompass everything from a highly precise location of an individual accurate within meters to their movement pattern history and even their contacts.
A considerable surveillance network
The presence of such tools calls into question the efficacy of Apple’s heavily promoted App Tracking Transparency feature, which is aimed at limiting such ad-powered tracking.
Cybersecurity experts suggest that these tools facilitate government surveillance, and companies like ISA are already promoting their services to national security agencies. This is not a coincidence.
The head of the National Security Agency has admitted that the NSA acquires web-browsing data of Americans from data brokers, circumventing the need for warrants.
This revelation came after Senator Ron Wyden (D-OR) paused the nomination of the NSA’s incoming director and demanded answers about the agency’s practices in collecting Americans’ location and internet data.
Notifications can be malicious
However, ads are just one aspect of the issue. Another inquiry by Mysk disclosed that bad actors are exploiting the push notifications on iPhones to amass essential data for diagnostics and personalized data delivery.
Whenever an app receives a push notification, iOS briefly wakes it up, offering a brief window to customize the notification before displaying it to the user. Notably, various social apps, notorious for their invasive data collection practices, are misusing this background runtime made possible by push notifications.
Developers can exploit this loophole to run code in the background simply by sending push notifications, enabling apps to covertly transmit comprehensive device data while operating in the background, essentially running a system to fingerprint devices.
#Privacy: Facebook, TikTok, and Other Apps Use Push Notifications to Send Data about Your iPhone
“The frequency at which many apps send device information after being triggered by a notification is mind-blowing,” states the security firm. This inquiry has revealed suspicious actions even from massively popular platforms such as Facebook, TikTok, and LinkedIn.
The only solution to this problem? Disabling notifications.
“Recently, adversaries appear to be exploiting notification pop-ups and ads to induce the victim into installing spyware on their devices,” states Jon Clay, CEO of global cybersecurity firm Trend Micro, in conversation with Digital Trends.
So, what can an ordinary person do to avoid such illicit surveillance, which can transmit identifying details such as location and local data? “Many people have been led to believe mobile devices are secure by themselves,” Clay says, suggesting that installing ad-blockers may provide some form of safety net or dedicated security apps.
What happens on your iPhone does not stay on your iPhone.
“Attacks of this nature are quite insidious and extremely alarming,” states Alan Bavosa, vice president of security products at Appdome. He notes that users are usually in a defenseless position in the face of these attacks since they aren’t aware of what’s happening on their devices in the first place.
“There are small things that users can do not to make matters worse, like downloading apps from standard app stores and not changing (jailbreaking or rooting) their devices,” Bavosa adds. “But these measures are additive, not curative.”
Unfortunately, it appears that the responsibility ultimately falls on the user, and that too, is a preventative measure. A common recommendation from cybersecurity experts is to manually delve into the settings app and disable notification apps for certain apps, and maybe to device sensors as well.
“Some Adware and Spyware may be published by bad actors in the official marketplaces under look of a legitimate app,” says Shawn Loveland, chief operating officer at Resecurity. “It is recommended not to install random apps or apps you don’t really need.”
Although bad actors have found workarounds, asking apps not to track user activity on your iPhone is a prudent step. “It’s a good idea to periodically check the permissions of apps, particularly those related to location and microphone access, and to disable any that aren’t necessary,” suggests John Chapman, co-founder of security firm MSP Blueshift.
Some relief will arrive later this year as Apple prepares to ask developers to explicitly explain why they need to access push notifications and the related diagnostic systems on iPhones. It’s not going to fix all the problems in one go, but it’s at least a decent start.