caretakerSep 14, 2025
Kevin Beaumont

For privacy researchers, this thread is interesting. iOS allow apps to make network requests after push notifications.

Instagram (and others) appear to be using this to profile devices, eg retrieve device uptime without their customer opening Instagram.

This one probably needs more eyes on it. https://mastodon.social/@mysk/115204746326765802

Sep 14, 2025 at 10:58pmWeb
Show threadIrenes (many)Sep 14, 2025
@GossiTheDog welp. we can imagine the conversation that happened during launch review, and how everyone convinced themselves that was okay.
Show threadAlan Miller  ðŸ‡ºðŸ‡¦Sep 14, 2025
@GossiTheDog there are good reasons to be cautious about whose software you allow on your devices. I'm curious about who else might be doing the same thing.
Show threadFluffy Kitty CatSep 15, 2025
@fencepost @GossiTheDog a lot of big companies are putting out software that meets the dictionary definition of malware
Show threadChucklesSep 15, 2025
@fluffykittycat @fencepost @GossiTheDog by dictionary definition all big companies are shipping malware, and nothing but
Show threadXavier Jacques CôtéSep 15, 2025

@GossiTheDog the question is who else does this kind of data collection.

Or TBH, it’s might be easier to ask who isn’t doing that! 😓

Show threadj-r conlinSep 15, 2025

@GossiTheDog

Sigh...

I'm going to guess that this is APNs, but betting the same problem exists for FCM and WebPush. Even ServiceWorker threads have some small autonomy about the sort of things that they can do, and the FetchAPI is available, so URL loading is definitely "a thing".

This is why we can't have nice things.

Show threadGSep 15, 2025
@GossiTheDog ironically this feature started as a way to Not include the content on push notifications, so apps could just trigger an encrypted updated.

we cannot have even average things
Show threadAlexSep 15, 2025
@GossiTheDog I'm glad that even on Android I have disabled notifications for everything I don't need.
Show threadJeffreySep 15, 2025
@GossiTheDog this is (another reason) why I have disabled almost all notifications on my device.
Show threadDavid Chisnall (*Now with 50% more sarcasm!*)Sep 15, 2025

@jtig @GossiTheDog

Does that help? The app still receives the push notification, it just can't present it to the user. Disabling notifications wouldn't prevent this, it would just make it more stealthy.

Show threadJeffreySep 15, 2025
@david_chisnall @GossiTheDog afaik, no notifications client side means no APNS sending you the push notification in the first place. On the other hand, apps like Instagram do have the ability to refresh or retrieve information in the background. I'll check with the original posters.
Show threadJeffreySep 15, 2025
@david_chisnall @GossiTheDog Here you go: https://mastodon.social/@mysk/115207755713649334
Show threadGSep 15, 2025
@jtig @david_chisnall @GossiTheDog the notification wake you linked is only a workaround for users who toggle the limit background battery for those apps. otherwise they don't even need that.
Show threadCalamity Joan 😷Sep 15, 2025
@GossiTheDog I don't know what this means, but I definitely don't like it.
Show threadSraarsSep 15, 2025
@GossiTheDog I beg people to remove Meta apps from their lives but the dopamine hits just are too strong.
Show threadSteve LoughranSep 15, 2025
@GossiTheDog this looks like its the thumbnail image which can be retrieved when rendered that's GET of a jpg with lots of pii attached as ? params
That content download makes sense, but it's when it is retrieved that apple could control, e.g. requiring it done in advance
As for all the privacy invasion-that's facebook in general.
Show threadTrimTab 🇺🇦Sep 16, 2025

@GossiTheDog
Its one thing if an internet fetching app with minimum permissions calls out after an inbound push.

Its another thing when an app that requires no internet to function, which has been granted huge privileges beyond those needed for its purpose responds to push beacons to make code run in the background.

When will a phone let INTERNET ACCESS be something we can control?? Why must i use my VPN slot with a proxy blocker? Whitelisting app net access has made my phone quite pleasant.

Show threadKelvin n0mql EN35ldSep 17, 2025
@GossiTheDog
My HSA provider will require passkeys this fall, but it requires their app, no 3rd party authenticator option. I’m refusing. I don’t trust them.