Apple Maps privacy bug may have allowed apps to collect location data without permission

An Apple Maps privacy bug fixed in iOS 16.3 may have allowed apps to collect user location data without permission.

At least one app appears to have done so, and a security reporter has speculated that the same privacy bug could have been exploited by countless apps over an unknown time period …

iOS 16.3

iOS 16.3 became publicly available last week, after a month in beta. The headline feature was support for physical security keys as part of the two factor authentication sign in process on new devices.

Other features highlighted in the release notes were:

• New Unity wallpaper honors Black history and culture in celebration of Black History Month
• Support for HomePod (2nd generation)
• Emergency SOS calls now require holding the side button with the up or down volume button and then releasing in order to prevent inadvertent emergency calls

As well as mention of several bug fixes. Check out our video run-through of all the new features.

Apple Maps privacy bug

Apple’s iOS release notes don’t list every bug fix; instead, the security-related ones are mostly covered in a separate document. Apple lists 12 different security patches, including one for an Apple Maps privacy bug:

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-23503: an anonymous researcher

Appears to have been actively exploited

We don’t know for sure, but it certainly appears that the bug has been actively exploited by at least one app. Brazilian journalist Rodrigo Ghedin reports that iFood, a multibillion dollar Brazilian food delivery app, was found to be accessing a user’s location in iOS 16.2 even when the user denied the app all location access.

A reader of Manual do Usuário (my Portuguese-written blog) noticed the glitch/bug while using iOS 16.2.

iFood, Brazilian largest food delivering app evaluated at USD 5.4 billion, was accessing his location when not open/in use, bypassing an iOS setting that restrict an app’s access to certain phone’s features. Even when the reader completely denied location access to it, iFood’s app continued to access his phone’s location.

It’s just speculation that this exploited the bug in question, but it is at least a very plausible explanation. What the iFood app did should not have been possible, while the bug Apple describes would seemingly have made it possible.

The questions raised by Arstechnica security writer Dan Goodin are: How long has this vulnerability existed? What other apps have exploited it? How much location data was gathered using it?

There may have been massive amounts of location data that was collected without users suspecting a thing. I’d ask Apple for details, but the company would never answer.

Another user in the thread speculated that the bug may have related to when a user granted location access to an app and subsequently revoked it or limited it (for example, from “‘Anytime” to “‘Only when using”) – with iOS failing to properly update the list of apps able to access location data.

Apple is unlikely to comment, as the bug is currently listed as “reserved,” meaning that details won’t be released until a later time, likely when most iOS users have upgraded to iOS 16.3 (or a patched version of an earlier release).

Photo: Tamas Tuzes-Katai/Unsplash