Thanks to device fingerprinting, sly marketing companies may now monitor smartphone users using common features.
When it comes to smartphones, advertisements and push alerts are like peanut butter and jelly. It is generally accepted that advertisements are the result of some type of monitoring, and not the instrument that makes it possible for surveillance to take place in the first place. This is despite the fact that advertisements are associated with a great deal of controversy over privacy. According to the findings of two studies that were carried out by 404 Media and Mysk, a duo of iOS developers, it has been discovered that advertisements and push notifications have started to provide marketing companies with a very simple method to spy on smartphone users.
The study being conducted by 404 Media is centred on a platform known as Patternz. Even while only a small percentage of people who use smartphones are aware of Patternz’s existence, it has been stated that businesses of all sizes are using the service to construct five billion individualised surveillance profiles. Rafi Tonne, the CEO of Patternz, has stated that the company intends to analyse the behaviour of smartphone users through the use of “over 600,000 applications,” with the express purpose of assisting governments in monitoring the spread of Covid-19. However, according to 404 Media, marketing materials that have since been destroyed that pitched Patternz exclusively to national security agencies were distributed. In fact, Tonne went so far as to declare that Patternz has the potential to transform the relatively simple mobile phone into a “de facto tracking bracelet.”
It operates in this manner: Users of popular apps such as 9gag, Sudoku, and Truecaller are exposed to advertisements in the form of banners, videos, and audio. In most cases, these advertisements are based on information that is associated with the device fingerprints of users. This includes GPS data, web browsing history, and other data that ought to be kept private and is utilised to provide targeted advertisements. Every one of these pieces of information is compiled by real-time bidding platforms, which include Google, Yahoo, MoPub, PubMatic, and others. These platforms allow businesses to purchase advertising space. Patternz obtains data from these groupings through its very own “fully commercial and operational AdTech arm.” Patternz then uses this data to construct its “national security platform,” which gives information about the whereabouts of smartphone users, their interests, and even their connections with other users.
Apparently, this mysterious organisation could be Nuviad, which is an advertising agency in which Tonne also serves as the CEO. A couple of firms, including Google and PubMatic, stated that they had stopped their ties with Nuviad in order to investigate the company’s data usage after 404 Media began reaching out to several of the companies that were involved in real-time ad bidding.
On the other hand, advertisements that provide problematic organisations with unrestricted access to people’s everyday lives are not the only way. A video that was uploaded on Thursday by two iOS developers and “occasional security researchers” who go by the name Mysk discusses the use of iOS push notifications as potential surveillance tools. Despite the fact that iOS does not permit applications to run in the background in their whole, push notifications wake applications for a short period of time and then provide “a limited time to customise the notification before it is presented to the user.” iOS will finally put an end to the background process once that brief amount of time has passed.
According to Mysk, developers are able to easily exploit this by obtaining information about the device while their applications are running quietly in the background. Many developers do this. Among the things that are included in this are the following: “This includes system uptime, locale, keyboard language, available memory, battery status, device model, display brightness,” the two individuals said. The majority of this information is saved via utilising Google Analytics or Firebase, which is Google’s platform for developing mobile and web applications.
At this time, the only way for users to prevent developers from collecting their information in this manner is for them to disable push notifications. However, according to Mysk, Apple will start forcing developers to clearly describe why they use the APIs that are responsible for data-grabbing this spring. This would ideally help Apple to weed out those developers who have questionable motives.