iOS Apps Grossly Abusing Background App Refresh for Tracking Purposes

Geoffrey Fowler, writing for The Washington Post:

It’s 3 a.m. Do you know what your iPhone is doing?

Mine has been alarmingly busy. Even though the screen is off and I’m snoring, apps are beaming out lots of information about me to companies I’ve never heard of. Your iPhone probably is doing the same — and Apple could be doing more to stop it.

On a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11:43 p.m., a company called Amplitude learned my phone number, email and exact location. At 3:58 a.m., another called Appboy got a digital fingerprint of my phone. At 6:25 a.m., a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with.

And all night long, there was some startling behavior by a household name: Yelp. It was receiving a message that included my IP address — once every five minutes.

This is all going on via Background App Refresh. You can see which apps have this permission on your iOS device in Settings: General: Background App Refresh (it’s the 8th item in General in iOS 12).

This feature exists for good reasons — it’s how email, messaging, and podcast apps can update in the background. You probably want new podcasts episodes to download in the background overnight. You want current weather information when you wake up in the morning. But anything that can be abused, will be abused, and it looks like a lot of apps are abusing the shit out of Background App Refresh.

I don’t know what Apple can do to make this more transparent — to somehow let you, the user, see what exactly these apps are doing in the background — but I sure hope it’s on their radar. At this point, a lot of these apps — because of the third-party “analytics” libraries they embed — are acting as spyware, pure and simple.

Wednesday, 29 May 2019