Security Specialists Uncover Two Significant Privacy Concerns in Smartphone Technology

This has been quite a stunning week in regard to the privacy and security of smartphone users. Specifically, two investigations have revealed troubling privacy concerns around smartphone advertising and iOS’ notification system.

The first, a deep investigation by 404 Media, uncovered a company called Patternz is weaponizing the ad delivery system on smartphones to extract information through apps and then send it to bidders. The report described Patternz as “a secretive spy tool that can track billions of phone profiles through the advertising industry.” Patternz uses a pipeline in popular apps like 9Gag and a bunch of popular caller ID apps to do its nefarious jobs. Patternz reportedly told its clients that it can monitor virtually any app that is capable of running ads.

The company’s CEO says once the tool, which covers over half a million apps, is deployed, the phone turns into a “de facto tracking bracelet.” According to a damning research paper, it profiles over a staggering 5 billion users and hawks the information to clients using the real-time bidding (RTB) market. Whether you have an iPhone or an Android phone, this is something that can affect you. ISA, the surveillance company behind Patternz, collects this data from RTB players like Google and X, formerly known as Twitter. The dataset it sells can include anything from a highly specific location of a person that’s accurate within meters to a history of their movement pattern and even who they are meeting.

A massive surveillance net

The very existence of such tools also brings into question the efficiency of Apple’s heavily marketed App Tracking Transparency feature, which aims to curtail such ad-enabled tracking. Cybersecurity experts say such tools enable government surveillance, and the likes of ISA are already advertising their services to national security agencies. That’s no coincidence. The head of the National Security Agency has acknowledged that the NSA purchases web-browsing data of Americans from data brokers, bypassing the need for warrants. The bombshell confirmation came after Senator Ron Wyden (D-OR) put a hold on the nomination of the NSA’s incoming director, Timothy Haugh, and demanded answers about the agency’s practices in collecting Americans’ location and internet data. Wyden, who has been attempting for three years to reveal that the NSA buys Americans’ internet records, received a letter on December 11 from current NSA Director Paul Nakasone confirming these purchases. Reuters first reported the letter’s details.

Notifications can be nefarious

But ads are just one-half of the problem. Another investigation by Mysk revealed that bad actors are exploiting the push notifications on iPhones to collect crucial data for diagnostics and customized data delivery. Whenever an app gets a push notification, iOS briefly wakes it up, giving it a short window to personalize the notification before showing it to the user. Not shockingly, various social apps, infamous for their invasive data collection habits, are exploiting this background runtime provided by push notifications. Developers can cleverly use this loophole to execute code in the background whenever they want, simply by sending push notifications. Numerous apps are using this function to covertly send comprehensive device data while operating in the background, effectively running a system for fingerprinting devices. “The frequency at which many apps send device information after being triggered by a notification is mind-blowing,” says the security firm. This investigation has unearthed suspicious behavior even from massively popular platforms such as Facebook, TikTok, and LinkedIn.

What do experts have to say?

The only solution to this problem? Disabling notifications. “More recently, adversaries look to be using notification pop-ups and ads that may induce the victim into installing spyware onto their devices,” Jon Clay, CEO of global cybersecurity firm Trend Micro, tells Digital Trends. So, what can an average person do to avoid such illicit surveillance, which can transmit identifying details such as location and local data? “Many people have been led to believe mobile devices are secure by themselves,” Clay says, noting that installing ad-blockers may offer some form of safety net or dedicated security apps. What happens on your iPhone does not stay on your iPhone.

“Attacks of this nature are quite insidious and extremely alarming,” says Alan Bavosa, vice president of security products at Appdome. He notes that users are typically in a defenseless position in the face of such attacks since they aren’t aware of what’s happening on their devices in the first place. “There are small things that users can do not to make matters worse, like downloading apps from standard app stores and not changing (jailbreaking or rooting) their devices,” Bavosa tells us. “But these measures are additive, not curative.”

Unfortunately, it seems the onus ultimately falls on the user, and that, too, is a preventive measure. A common suggestion from cybersecurity experts is to manually dig into the settings app and disable notification apps for certain apps and maybe to device sensors as well. “Some Adware and Spyware may be published by bad actors in the official marketplaces under look of a legitimate app,” says Shawn Loveland, chief operating officer at Resecurity. “It is recommended not to install random apps or apps you don’t really need.”

Even though bad actors have found workarounds, asking apps not to track user activity on your iPhone is a prudent step. “It’s a good idea to periodically check the permissions of apps, particularly those related to location and microphone access, and to disable any that aren’t necessary,” suggests John Chapman, co-founder of security firm MSP Blueshift. Some reprieve will arrive later this year as Apple prepares to ask developers to explicitly explain why they need to access push notifications and the related diagnostic systems on iPhones. It’s not going to fix all the problems in one go, but it’s at least a decent start.

Next
Previous