iPhone photo with geolocation

Apple’s latest iPhone 11 Pro model has been found to continuously collect and transmit your location data even when specifically told not to.

Security journalist Brian Krebs wrote about this on his blog, with an accompanying video revealing that the new phone in fact appears to periodically poll location data from the built-in GPS even if individual apps are set to never request location data in Settings → Privacy → Location Services. This also happens if the user has disabled location data access for all system services in Settings → Privacy → Location Services → System Services.

One of the more curious behaviors of Apple’s new iPhone 11 Pro is that it intermittently seeks the user’s location information even when all applications and system services on the phone are individually set to never request this data.

The company reportedly didn’t respond to any follow-up questions.

TUTORIAL: How to stop iPhone from tracking your location

Krebs reported this to Apple, but a company engineer responded by saying this is by design even though that response seems at odds with the company’s own privacy policy.

We do not see any actual security implications. It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled. The icon appears for system services that do not have a switch in Settings.

You can watch this in action by observing the arrow icon that appears periodically next to apps and services that have been manually disabled in Settings.

According to Apple’s Privacy Policy:

Your device will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers (where supported by a device) in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations.

The only way to prevent location data gathering is to turn off Location Services altogether, but doing so significantly reduces the usefulness and features of the device.

TUTORIAL: Understanding iOS Location Services and what they do

While you can individually disable location access for apps and system services in Settings, Kerbs observes that some system services that request location data obviously cannot be user-disabled without completely turning off Location Services.

It’s unclear if other iPhone 11 models exhibit this behavior.

For what it’s worth, Kerbs couldn’t replicate this issue on an iPhone 8. “Perhaps this oddity is somehow related to adding support for super-fast new Wi-Fi 6 routers, which may have involved the introduction of new hardware,” he speculated.

Apple assures that there’s nothing to worry about, but we respectfully beg to differ. Collecting and transmitting location data against user settings poses a potential security risk.

Thankfully, iOS 13 has brought out some notable changes designed to prevent apps from collecting location data without consent. For starters, iOS 13 lets you choose if you’d like to share your location with an app just once or every single time you open the app.

You also get a notification when an app is using your location in the background.

These changes in iOS 13 have effectively killed the ability for third-party apps to request persistent device location data upon initial setup.

And in a yet another effort to stop workarounds like using Bluetooth to approximate the user’s location, app developers are now required to actually request access to Bluetooth or Wi-Fi via an API. It’s resulted in many apps that you may not have used extensively in the past now popping up a dialog requesting Bluetooth access, like you see above. Lastly, sharing a photo in iOS 13 now lets you choose whether or not you share your location along with it.

What do you make of this weird location gathering on the iPhone 11 models?

Could this unexpected behavior suggests that a privacy vulnerability exists in the iPhone 11 series or iOS 13, or both, do you think?

Let us know by sharing a comment down below.