Security experts spot Facebook’s sneaky iPhone user tracking trick

Apple is right about privacy and I’m pleased at least one big tech firm is bothering to try

Security researchers are warning iOS users to delete Facebook, because it continues to track them even when they ask it not to do so.

Facebook’s sneaky tricks

What’s happening is that even when you opt-out of being tracked on your device by third-party apps, Facebook will still be gathering data about you. The researchers claim it does so using some insidious-seeming tricks, including:

• Sucking location metadata from images and IP addresses.
• Using the accelerometer on your device to track your movements – this data can be correlated with data sourced from others to estimate information you may want kept hidden, enabling it to infer your position.

What makes these tricks worse is that Facebook doesn’t appear to be providing any transparency at all to inform users of what is happening to them.

“Currently, iOS allows any installed app to access accelerometer data without explicit permission from the user. Curious apps might be able to learn a lot about users through the accelerometer and without their knowledge or permission,” the researchers warned.

[Also read: Read Apple’s promise to introduce privacy features Facebook opposes (updated)]

Information is power

The information is powerful.

Security researcher Tommy Mysk told Forbes: “Apps can figure out the user’s heart rate, movements, and even precise location. Worse, all iOS apps can read the measurements of this sensor without permission. In other words, the user wouldn’t know if an app is measuring their heart rate while using the app.”

This information can be used to deduce where you are by comparing your movement with that of someone close to you, such as when sharing a train or bus, and there have been studies that seemingly claim it is possible to infer what people are saying through use of this data.

For example, if you are on the bus and a passenger is sharing their precise location with Facebook, Facebook can easily tell that you are in the same location as the passenger. Both vibration patterns are going to be identical, e.g. the bus suddenly stops or takes off.

— Mysk 🇨🇦🇩🇪 (@mysk_co) October 19, 2021

“We tested several apps,” Mysk explains, “and Facebook and Instagram stood out. While Facebook reads the accelerometer all the time, Instagram only reads it when the user is texting in the DM. In addition, WhatsApp also reads the accelerometer by default to animate chat wallpapers. So, this puts these three apps together, and you wonder if they are matching vibration patterns among users. This can get nasty, and the way to end it is by protecting this valuable sensor with a permission.”

The researchers suggest that Apple takes steps to extend user privacy protection to the accelerometer and apps.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.