'Background App Refresh', And How Apple's iPhones Leak User Data To Trackers

If it's the privacy battle between Android and iOS, most people would agree that the latter is safer and more secured. But is it really?

In the modern connected world, practically all devices with internet capabilities are connected 24/7. Throughout this time, the device may exchange information with servers around the world, pinging multiple services, downloading or uploading things, and so forth.

As for iOS, The Washington Post discovered that a lot of third-party apps are abusing 'Background App Refresh' to regularly send sensitive personal information to tracking companies.

This iOS feature allows apps to refresh their content by running periodically in the background.

While it's no surprise that apps can do this to gather all sorts of analytics data. But the frequency they gather data and send the data that made it quite alarming.

The Washington Post said to have used the Disconnect’s Privacy Pro app to find that many apps were sending details like phone number, email, exact location, IP address, and more.

Apple ad near CES 2019
Ahead of CES 2019, Apple highlighted its stance on privacy in an ad that said 'What Happens On Your iPhone, Stays On Your iPhone'

The Washington Post said that:

"Apple says, 'What happens on your iPhone stays on your iPhone'. Our privacy experiment showed 5,400 hidden app trackers guzzled our data — in a single week."

The list of offending apps include: Microsoft OneDrive, Mint, Nike, Doordash, Spotify, Yelp, The Weather Channel, Citizen, and even The Washington Post’s own iOS app.

The Citizen app for example, was found to be sharing personally identifiable information that was in violation of its published privacy policy. The company behind it removed the tracker after the Washington Post contacted them.

Yelp on the other hand, was sending a message containing IP addresses every five minutes, a behavior the company later acknowledged was a bug.

Another example was the DoorDash’s app. It was discovered that the app was using nine different trackers to gather details from users' phones, to gather information like device name, model, ad identifier, memory size, accelerometer data, delivery address, name, email, and cellular phone carrier.

The app needed all that to help identify fraud.

According to Geoffrey A. Fowler, a technology columnist at the Washington Post, he said that his iPhone with those trackers would have "spewed out 1.5 gigabytes of data over the span of a month."

Apple Privacy

App trackers aren’t inherently bad.

Just like previously said, some tackers are good, as they are used to diagnose app's behavior to improve performance. By knowing how users use apps, the developers would get the idea how to improve things. Other trackers analyze usage patterns to serve ads. These too are common on mobile apps.

While Apple is at the center of The Washington Post's research, tracker issues are also present on Google's Android.

As a matter of fact, Google doesn't allow Disconnect’s Privacy app on its Play Store, due to reasons like the app might interfere with another app displaying ads.

This raises questions about privacy.

First of all, why do these companies collect so much information? Are they all necessary? Second, how long do these companies store those sensitive information? Days, weeks, months, or probably years? And third, who else do these third-party trackers share the data with?

But for what is clear here is that, the more apps users use and more they spend their time on their phones, things are becoming evident that app permission and privacy policies alone aren't enough.

Apple and Google should have gone to greater length to create tracking protection controls built into their respective mobile operating system, to ensure that data collection and sharing practices are more transparent.

But getting more deeply involved with app data practices can be complicated.

In the modern days of the internet, Apple and Google cannot simply ban all connections to outside servers. And some companies are so big they don’t even need the help of outsiders to track them.

In the meantime, the only best solution is to turn off background app refresh on iOS devices by heading to: Settings > General > Background App Refresh > Off.

Apple has built a great reputation and marketing strategy that centered around privacy. Here, the company is not wrong, as the company treats personal data with respect (or at least better than Google due to the fact that Apple's business doesn't live on ads). The company also said that it never eavesdrop on conversation.

However, iPhones can leak all sorts of data, often with Apple having no viable ways to stop them.

Published: 
30/05/2019