There may be a major privacy vulnerability in iOS 16 that would allow apps to query location even without user consent. In iOS version 16.2, unwanted access to the location by the app of a major Brazilian delivery service was observed: although the user had explicitly forbidden this in the iOS settings, the privacy view of the iOS control center logged unwanted location requests by the “iFood” app, says a report from Brazil. After installing iOS 16.3 the behavior stopped.
Vulnerability in Apple Maps
A vulnerability patched with iOS 16.3 has now sparked speculation that it could have been a bigger problem. According to Apple, the update fixes a bug in Maps or Apple Maps that may have allowed apps to bypass privacy settings, as the manufacturer announced. The logic problem was solved by “improved status management”. Patches are also available for iPadOS 16, macOS 13 and watchOS 9.
Further details on the vulnerability listed under CVE-ID 2023-23503 have not yet been published, so it remains unclear whether this can actually give other apps unauthorized access to the location services. It is also unclear who found the vulnerability and reported it to Apple, the company only refers to an “anonymous researcher”.
App provider rejects allegations
The Brazilian provider of the iFood app has rejected the allegations of unwanted location access in a statement to a Brazilian journalist: No code could be identified in its own app that allows location access without authorization.
Users have always had to agree to an exact location in iOS. However, apps can also use the IP address of the user to roughly determine the location. Apple eliminated loopholes such as location tracking via WLAN information several years ago with iOS 13. However, the now very fine-grained release settings for the location services repeatedly cause confusion and incorrectly selected options for iPhone users.
(lbe)
To home page
