An Apple Maps privacy bug fixed in iOS 16.3 may have allowed apps to collect user location data without permission.
At least one app appears to have done this, and one security reporter has speculated that the same privacy flaw could have been exploited by countless apps over an unknown amount of time…
iOS 16.3 became publicly available last week, after a month in beta. The headline feature was support for physical security keys as part of the two-factor authentication sign-in process on new devices.
Other features highlighted in the release notes were:
- The new Unity wallpaper honors black history and culture in celebration of Black History Month
- HomePod (2nd generation) support
- SOS emergency calls now require you to hold and then release the side button with the volume up or down button to prevent accidental emergency calls
As well as mentioning several bug fixes. Watch our video with all the new features.
Apple Maps privacy error
Apple’s iOS release notes don’t list all bug fixes; Instead, the security-relevant ones are usually dealt with in a separate document. Apple lists 12 different security patches, including one for a privacy bug in Apple Maps:
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later and iPad mini 5th generation and later
Impact: An app may be able to bypass privacy controls
Description: A logic issue was addressed with improved state management.
CVE-2023-23503: an anonymous researcher
Appears to have been actively exploited
We don’t know for sure, but it seems certain that the bug was actively exploited by at least one app. Brazilian journalist Rodrigo Ghedin reports that iFood, a multi-billion dollar Brazilian grocery delivery app, accesses a user’s location in iOS 16.2, even if the app’s user denies all location access.
A reader of Manual do Usuário (my blog written in portuguese) noticed the error/bug when using iOS 16.2.
iFood, Brazil’s largest $5.4 billion grocery delivery app, accessed its location when not open/in use, bypassing an iOS setting that restricted an app’s access to certain phone features . Even when the reader denied location access entirely, the iFood app kept accessing his phone’s location.
It’s just speculation that this exploited the bug in question, but it’s at least a very plausible explanation. What the iFood app did shouldn’t have been possible, while the bug described by Apple apparently made it possible.
The questions raised by art technique Security Author Dan Goodin are: How long has this vulnerability existed? What other apps have exploited it? How much location data was collected with it?
Huge amounts of location data may have been collected without the users’ knowledge. I would ask Apple for details but the company would never answer.
Another user on the thread speculated that the error could possibly be related to a user granting location access to an app and then revoking or restricting it (e.g. from “anytime” to “only when used”) – with iOS failing to do so properly update the list of apps that can access location data.
Apple is unlikely to comment as the bug is currently listed as “reserved,” meaning details won’t be released until a later date, likely when most iOS users upgrade to iOS 16.3 (or a patched version of an earlier version ) updated. .
Photo: Tamas Tuzes-Katai/Unsplash
FTC: We use income earning auto affiliate links. More.
Visit 9to5Mac on YouTube for more Apple news: