Apple has denied reports that an Apple Maps privacy bug was sharing people’s geographical location with third-party apps without permission.
- What’s happening? An Apple statement has denied reports that a now-fixed bug permitted third-party apps to bypass user control over location data.
- Why care? The privacy may have been exploited by the iFood app to gather location data even when the user has denied the app all location access.
- What to do? Go to your privacy controls and review location permissions.
Apple denies Maps privacy bug claims
Brazilian journalist Rodrigo Ghedin recently discovered that a privacy vulnerability in iOS and iPadOS could have enabled third-party iPhone and iPad apps to gather location data from users without consent over an unknown period, even with location access turned off entirely in the iPhone’s privacy settings.
His report claims that the Brazilian food-delivery app has managed to leverage the vulnerability to continue gathering location data even after the user had revoked permission for the app. Apple has responded to the report, denying that a Maps bug ever permitted apps to circumvent users’ location privacy settings.
Here’s the statement Apple gave to 9to5Mac:
The suggestion that this vulnerability could have allowed apps to circumvent user controls on iPhone is false. A report also incorrectly suggested an iOS app was exploiting this or another vulnerability to bypass user control over location data. Our follow up investigation concluded that the app was not circumventing user controls through any mechanism.
The iFood team also issued a statement, saying it conducted an investigation into the issue and identified no code in the software that would enable access to the user’s location without authorization. Any data collected is used only for the purposes set out in iFood’s privacy statement, it claims.
iOS 16.3 fixes a privacy bug in Apple Maps
iOS 16.3 brought a bunch of security updates and patches, including a fix for an Apple Maps bug that sounds like it could have allowed an app to bypass the privacy preferences. According to a security document on Apple’s website, “a logic issue was addressed with improved state management” to resolve the bug.
The bug in question could only be exploited from unsandboxed apps on macOS, according to the company’s statement given to 9to5Mac.
The codebase that we fixed is shared by iOS and iPadOS, tvOS and watchOS, so the fix and advisory was propagated to those operating systems as well, despite the fact that they were never at risk.
Revisit your privacy settings
You’re recommended to revisit the privacy permissions you’ve given to apps by venturing into Settings → Privacy → Location Services and reviewing the location access you’ve granted to each and every listed app. Generally speaking, it’s a good idea to restrict access from Anytime to Only when using.
It’s unclear how long this vulnerability has existed, but it’s encouraging to see that the iOS 16.3 and iPadOS 16.3 updates have fixed it.