Apple clarifies Maps bug prevented sharing your location without consent

Apple has denied reports that an Apple Maps privacy bug allowed people’s geographic location to be shared with third-party apps without permission.

• What’s happening? Apple’s statement denied reports that a bug already fixed allowed third-party apps to bypass user control over location data.
• Why care? Privacy may have been used by the iFood app to collect location data, even if the user has denied the app all access to the location.
• What to do? Navigate to the privacy controls and check location permissions.

Apple Denies Maps Privacy Bug Claims

Brazilian journalist Rodrigo Guedin recently discovered that a privacy vulnerability in iOS and iPadOS could allow third-party iPhone and iPad apps to collect users’ location data without their consent for an unknown period, even if location access is completely disabled in the iPhone’s privacy settings.

His report claims that a Brazilian food delivery app was able to exploit the vulnerability to continue collecting location data even after the user had revoked permission for the app. Apple responded to the report by denying that the Maps bug ever allowed apps to bypass users’ privacy settings.

Here is the statement that Apple gave to 9to5Mac:

The suggestion that this vulnerability could allow applications to bypass user controls on the iPhone is false. The report also erroneously suggested that an iOS app exploited this or another vulnerability to bypass user control over location data. Our subsequent investigation concluded that the app does not bypass user controls through any mechanism.

The iFood team also issued a statement saying that it has investigated the issue and found no code in the software that would allow access to a user’s location without authorization. Any data collected is used only for the purposes set out in the iFood privacy statement.

iOS 16.3 fixes privacy bug in Apple Maps

iOS 16.3 brought a host of updates and security fixes, including a fix for an Apple Maps bug that could allow an app to bypass privacy settings. According to a security document on Apple’s website, “a logical issue has been resolved with improved state management”to resolve the error.

According to a company statement provided by 9to5Mac, this bug could only be exploited from non-sandboxed apps on macOS.

The code base we patched is shared across iOS and iPadOS, tvOS and watchOS, so the patch and recommendations have been extended to those operating systems even though they were never at risk.

Review your privacy settings

You are advised to review the privacy permissions you have given to apps by going to Settings → Privacy → Location Services and reviewing the location access you have granted to each of the listed apps. Generally speaking, it is recommended to restrict access from “Anytime”to “Only when in use”.

It’s unclear how long this vulnerability has been around, but it’s encouraging to see that the iOS 16.3 and iPadOS 16.3 updates have fixed it.