[ad_1]
A privacy bug in Apple Maps, fixed in iOS 16.3, could allow apps to collect user location data without permission.
At least one app appears to do so, and security reporters speculate that the same privacy bug may have been exploited by countless apps over an unknown period of time.
iOS 16.3
iOS 16.3 rolled out last week after being in beta for a month. A highlight was support for physical security keys as part of the two-factor authentication sign-in process on newer devices.
Other features highlighted in the release notes are:
- New Unity wallpapers celebrate black history and culture in celebration of Black History Month
- HomePod (2nd Gen) support
- An emergency SOS call requires you to press and hold the side and volume buttons up or down to prevent an inadvertent emergency call.
As well as mentioning some bugfixes. Watch a video runthrough of all the new features.
Apple Maps privacy bug
Not all bug fixes are listed in Apple’s iOS Release Notes. Instead, security-related stuff is mostly covered in separate documents. Apple lists 12 different security patches, including one for the Apple Maps privacy bug.
Eligible devices: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later
Impact: An app may be able to bypass privacy settings
Description: Improved state management and addressed logic issues.
CVE-2023-23503: Anonymous Researcher
seems to be actively exploited
We don’t know for sure, but we do know that at least one app is actively exploiting this bug. Brazilian journalist Rodrigo Ghedin says iFood, a multi-billion dollar Brazilian food delivery app, will now access users’ location information in iOS 16.2 even when users deny access to all location information in the app. It is reported that it was found that
readers of operating instructions (My blog written in Portuguese) noticed a glitch/bug when using iOS 16.2.
iFood, Brazil’s largest food delivery app with a valuation of US$5.4 billion, bypasses iOS settings that restrict apps’ access to certain phone features, allowing you to view food when not open/not in use. I was accessing his location information. Even when Reader denied access to his location outright, iFood’s app continued to access his phone’s location.
It’s just speculation that this exploited the bug in question, but at least it’s a very plausible explanation. A bug described by Apple appears to have made it possible, but what the iFood app did shouldn’t have been possible.
question posed by altechnica As security writer Dan Goodin puts it: What other apps abused it? How much location data was collected using it?
There may have been a large amount of location data collected without the user’s suspicion. I asked Apple for details, but the company declined to answer.
Another user in the thread said the bug is related to when a user grants location access to an app and then revokes or restricts it (e.g. changing from “whenever” to “only when in use”). I assumed there might be. Update the list of apps that have access to location data.
The bug is currently listed as “reserved”, so it’s unlikely Apple will comment. That means no details will be released until most iOS users upgrade to his iOS 16.3 (or a patched version of the previous release). .
Photo: Tamas Tuzes-Katai/Unsplash
FTC: We use automated affiliate links to earn income. more.
For more Apple news, watch 9to5Mac on YouTube.
[ad_2]
Source link
