A concerning new report reveals that social media giants like Facebook, TikTok, X/Twitter and others are exploiting iPhone push notifications to gather sensitive user data without permission.

According to research conducted by app analytics firm Mysk, major apps including Facebook, Instagram, TikTok, LinkedIn, and X (formerly Twitter) have built code into their iOS apps to gather detailed device information and analytics whenever a push notification is sent to a user’s device. This allows the apps to collect user data even when the app is not actively being used.

Due to Apple‘s privacy restrictions that limit background activity on iOS, most apps are unable to run continuously in the background or gather data when they are not in use. Push notifications, however, briefly reactivate the app in order to deliver customized notifications. The Mysk report shows that during this short activity window, apps are able to execute additional code that extracts detailed device statistics and analytics to create digital fingerprints and profiles of each user.

The concerning implications are twofold. First, users are not made aware that enabling push notifications also opens a gateway for companies to access detailed information about their device, like battery levels, memory usage, screen brightness and more, all of which can be used for invasive ad targeting and fingerprinting. Second, Apple’s background app restrictions, which are meant to limit unauthorized data gathering, are easily bypassed by abusing push notification privileges.

Major platforms caught engaging in this practice defended the data gathering, claiming it is only used to improve notifications. However, Mysk observed that the precise device statistics collected go far beyond what would reasonably be needed just for notifications.

Apple is already working to close this loophole in a future iOS update, but in the meantime, concerned users can disable all push notifications for apps they do not wish to share data with when inactive. Just be aware that disabling notifications entirely is required, rather than just toggling them off.

The report underscores growing concerns over the data gathering practices of major tech companies, which continue to find creative workarounds to extract increasing amounts of user information. It also reveals limitations in Apple’s tightened privacy policies, which still contain holes allowing determined apps to learn detailed user behaviors without obtaining meaningful consent.

As tech companies amass more sensitive statistics through covert means like notification abuse, users suffer from lost privacy while gaining little in return. The onus remains on lawmakers and platform operators like Apple to restrict unethical data gathering practices, even those that manage to technically follow guidelines through creative exploitation.