iPhone 11 Pro found to collect location data against user settings

Posted:
in iPhone edited December 2019
A report on Tuesday suggests Apple's iPhone 11 Pro, and potentially iPhone 11 models, continuously collect and transmit location data when user-selectable location services settings are disabled, behavior that could pose a potential security risk.

iPhone 11 Pro


Outlined by security journalist Brian Krebs, iPhone 11 Pro appears to periodically ping its GPS module to gather location data in the face of user wishes.

Krebs demonstrated the activity in a video captured on an 11 Pro running Apple's latest iOS 13.2.3 software, which continues to collect GPS data for certain apps and system services despite manual disablement of individual Location Services in iPhone Settings. Interestingly, iPhone 11 Pro seeks GPS data even when an app's Location Services switch is set to "never" request said information.

Apple in a privacy policy available for perusal in iPhone's Location Services settings screen says the handset "will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers (where supported by a device) in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations." The company states location-based system services can be disabled individually in Settings, but Krebs found iPhone or iOS makes exceptions for certain services.

"But apparently there are some system services on this model (and possibly other iPhone 11 models) which request location data and cannot be disabled by users without completely turning off location services, as the arrow icon still appears periodically even after individually disabling all system services that use location," Krebs explains.

As evidenced in the short clip, Apple's iOS location services indicator, a small arrow icon that denotes recent or current use of GPS data, appears next to apps and services that have been manually disabled in Settings.

In iOS, users can enable and disable system location services through a user interface provided in the Privacy > Location Services section of the Settings app. The management apparatus is highly granular and offers control over first- and third-party apps, basic iOS services and other Apple features. These tools were bolstered in iOS 13, which greatly enhances user control over data sharing features and reduces the possibility of inadvertent location tracking features.

Previously, third-party apps could request persistent device location data upon initial setup, but iOS 13 removes that ability. Further, when always-on tracking is manually enabled in the Settings menu, a pop-up window periodically appears to remind users of the configuration and provides an option to turn it off.

Apple does not apply those same restrictions to its own apps, but does inform iPhone owners of its location services practices in software user agreements.

Krebs was unable to replicate the potential security issue on an iPhone 8. Whether Apple's iPhone 11 operates in an identical manner is unknown.

When contacted about the possible bug that seemingly contravenes its own privacy policy, Apple said the behavior was expected.

"We do not see any actual security implications," an Apple engineer said. "It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled. The icon appears for system services that do not have a switch in Settings."

Krebs believes the curious activity might be related to new iPhone hardware introduced to support Wi-Fi 6, but that theory remains unconfirmed.

For now, the only surefire way to avoid intermittent GPS pings on iPhone 11 Pro is to completely disable Location Services in Settings. Doing so, however, renders many iPhone features useless.
philboogie
«13

Comments

  • Reply 1 of 47
    What the heck. It seems every other month a major privacy invasion of our iPhones gets discovered. It’s almost like a built in...

    revolving back door. 

    back foot gets discovered. Said company “patches” it - only for a new opening to be “discovered” and “patched, etc. etc. 

    philboogie
  • Reply 2 of 47
    mcdavemcdave Posts: 1,826member
    Easy fix. Change the “Location Services” to “Location Access” with the explanation this is 3rd party access to the device’s location.
    Pezawatto_cobrajahblade
  • Reply 3 of 47
    cpsrocpsro Posts: 2,928member
    N.B. With location services disabled, 3rd parties can still get your general location, if not your specific location, from your IP address.
    watto_cobraStrangeDays
  • Reply 4 of 47
    Bad AppleInsider.   Stop posting misleading nonsense clickbait. Turn off location services. “Problem”solved. 
    mac_dogmacpluspluswatto_cobramdriftmeyerchabigArloTimetravelerSpamSandwichtommikeleneilmStrangeDays
  • Reply 5 of 47
    One needs to be mindful that location controls are there to rein in:
    1. 3rd party apps that abuse this feature (privacy, ads, irrelevant location fishing, etc.), 
    2. Disablement of certain stock-features that the user doesn't want to involve themselves in for privacy/data/policy reasons.
    While I think it's a good idea to pull this thread to see where it goes, phones are an inherently trackable device and coverage relies on it. Over time this has become more advanced to provide better service to the user, optimisations for the network provider and also other users of their own devices.

    Additionally there is a level of consent (implied and directly granted) between the user and the device maker when the consumer makes the positive decision to buy an electronic device with such features (especially when those features are extensively marketed to entice purchase.)

    So yes, while I think this should be further investigated. There is a chasm of difference between Apple using your location and a 3rd party app using your location. Equating th two is a sensationalist mistake.
    edited December 2019 jd_in_sbphilboogiesmiffy31watto_cobraredgeminipaflyingdpchabigcornchiprepressthisdewme
  • Reply 6 of 47
    This could be related to their rumoured version of the Tile Tracker?
    watto_cobrarazorpit
  • Reply 7 of 47
    PezaPeza Posts: 197member
    I must say I’ve noticed the little arrow appear at the top of the screen a lot these days. I was suspecting iOS sending data, glad to see it confirmed, also not glad as it makes a complete mockery of privacy and security settings in iOS, and makes Apples ‘what’s on your iPhone stays on your iPhone’ advertising campaign seem incredibly hypocritical. I’ve noticed the gps arrow on my iPhone XR and iPad Pro.

    Apple has recently proved it is no different, indeed in some cases worst, then Amazon or Google or even Facebook with data collection recently. And appears to only be offering solutions once caught red handed with its hand in the cookie jar!. It really should be the polar opposite. Particularly considering all the health information the company gathers on you if you wear an Apple Watch.

    Perhaps as suggested, it would be far better for Apple to be completely upfront and honest about it’s data collecting and tracking features, in plain English and not buried in cleverly worded text in a multi page end user agreement. Change it’s wording.
    That way they won’t appear as the bad guys, and everyone knows where they stand. Location services are useful, just be up front with how they work.
    edited December 2019
  • Reply 8 of 47
    philboogiephilboogie Posts: 7,671member
    Wasn't this also the case with iPhone OS4? Yeah, where Steve made a public excuse.

    ...history repeating itself...

    Peza
  • Reply 9 of 47
    adamcadamc Posts: 582member
    Yes it is life and death since Apple knows where I am.
    watto_cobra
  • Reply 10 of 47
    larryjwlarryjw Posts: 858member
    This is an issue? Seems like Apple’s privacy statement is perfectly compatible with what is claimed Apple is doing.

    Secondly, your location is ALWAYS known. You’re only protection for location privacy is to turn off all your devices and never use them. Otherwise, your devices are always, periodically, sending and receiving signals — wifi, gps, cellular, Bluetooth, and general EMR — so, any sensor tuned to picking up radio signals will be able to detect your presence, and since these sensors presumably know where THEY are, will know where you are, after a little triangulation. 

    A recent example is illustrative. Our transportation Dept wanted to understand traffic patterns on major thoroughfares. They installed Bluetooth sensors along the roadways. As cars passed these sensors, they read the Bluetooth pings, which sends the device’s Bluetooth ID. Using this information collected they were able to detect the routes taken — on ramps, off ramps, travel time between points. Now, this analysis was useful only in the aggregate for transportation planning, but if someone could map the Bluetooth ID to your particular device, they could report much about your activities on any given day. 
    edited December 2019 watto_cobraGG1razorpitneilmrandominternetperson
  • Reply 11 of 47
    This could be related to their rumoured version of the Tile Tracker?
    That’s my theory too
    watto_cobra
  • Reply 12 of 47
    yuck9yuck9 Posts: 112member
    loopless said:
    Bad AppleInsider.   Stop posting misleading nonsense clickbait. Turn off location services. “Problem”solved. 
    If this was Google,would you still be saying that ?  Oh, If It's Apple then it's ok right. 

    gatorguymuthuk_vanalingamPezadysamoriarogifan_new
  • Reply 13 of 47
    JFC_PAJFC_PA Posts: 645member
    What the heck. It seems every other month a major privacy invasion of our iPhones gets discovered. It’s almost like a built in...

    revolving back door. 

    back foot gets discovered. Said company “patches” it - only for a new opening to be “discovered” and “patched, etc. etc. 

    Please, as the article points out: You want to turn off completely Location Services? Then COMPLETELY TURN OFF LOCATION SERVICES. 

    Couldn’t be simpler. 

     For now, the only surefire way to avoid intermittent GPS pings on iPhone 11 Pro is to completely disable Location Services in Settings”.

    duh. 
    edited December 2019 randominternetperson
  • Reply 14 of 47
    gatorguygatorguy Posts: 23,300member
    JFC_PA said:
    What the heck. It seems every other month a major privacy invasion of our iPhones gets discovered. It’s almost like a built in...

    revolving back door. 

    back foot gets discovered. Said company “patches” it - only for a new opening to be “discovered” and “patched, etc. etc. 

    Please, as the article points out: You want to turn off Location Services? Then TURN OFF LOCATION SERVICES. 

    Couldn’t be simpler. 
    "Doing so, however, renders many iPhone features useless."
    muthuk_vanalingamPezadysamoria
  • Reply 15 of 47
    If I recall correctly way back in June at WWDC, Apple introduce an always on location services feature that assists with tracking lost iPhones. The feature was for UWB. AppleInsider even published one or two articles about how the feature could be used in augmented reality. Now... the feature has been “discovered”. More to come. 
    lostkiwiwatto_cobra
  • Reply 16 of 47
    Peza said:
    I must say I’ve noticed the little arrow appear at the top of the screen a lot these days. I was suspecting iOS sending data, glad to see it confirmed, also not glad as it makes a complete mockery of privacy and security settings in iOS, and makes Apples ‘what’s on your iPhone stays on your iPhone’ advertising campaign seem incredibly hypocritical. I’ve noticed the gps arrow on my iPhone XR and iPad Pro.

    Apple has recently proved it is no different, indeed in some cases worst, then Amazon or Google or even Facebook with data collection recently. And appears to only be offering solutions once caught red handed with its hand in the cookie jar!. It really should be the polar opposite. Particularly considering all the health information the company gathers on you if you wear an Apple Watch.

    Perhaps as suggested, it would be far better for Apple to be completely upfront and honest about it’s data collecting and tracking features, in plain English and not buried in cleverly worded text in a multi page end user agreement. Change it’s wording.
    That way they won’t appear as the bad guys, and everyone knows where they stand. Location services are useful, just be up front with how they work.
    So there's a few things in this that don't quite add up, but I'll bite.

    Perhaps you could articulate how Apple is "worse" than Amazon, Google or FaceBook with respect to data collection ? That is an extraordinary claim that warrants extraordinary evidence to support it (given Amazon, Google and Facebook are 3 of the world's largest collectors of personal information, and all of them actively generate income from the personal information they collect, and two of them own two of the largest data brokerages in the world)

    Second the arrows don't mean Apple has collected ANY data about location at all. Words have meaning to lets get specific - if Apple "collects" data then its sent from your device to Apple centrally, and in a form Apple can decrypt or read - ie it leaves your device in some form, and Apple itself can do something with the data. eg A lot of the "Find My" service data passes through Apple servers, but Apple can't decrypt it, as its encrypted with asymmetric keys that only exist on a users devices. So its not "collection". How "Find my" works was explained in a talk by Apple at BlackHat 2019 this year.

    If a process or App running on the device does something that is requests location-related information, that does not automatically mean that Apple "collected" it. Even if data is sent to Apple, it doesn't mean Apple can read it. Saying any process triggering an arrow in the UI constitutes collection of data is wrong from both a technical and legal perspective. 

    Thirdly, the way that location services work, is things like monitoring for iBeacon region entry/exit, or "awareness of what country am I in" will by definition access location information. 

    Fourthly the arrow may not have anything to do with GPS, and the AppleInsider commentary is wrong in framing things that way. Apple devices use GPS, GLONASS, Baidu, Galileo and QZSS satellite systems, but they also use cell towers, Bluetooth and Wi-fi network mapping. All of that underlying location stuff has different levels of accuracy, and some of it works indoors, some of it only outdoors. Software doesn't access almost any of that directly - a developer usually has to set up a Core Location Manager instance to get called back when the device knows the location to the requested accuracy. eg Apple knowing what set of transit directions to supply in Maps, only requires a resolution to the city level - typically 10's of km, and wouldn't generally be considered a sensitive level of location, but it would totally trigger an arrow.

    Also - take a look at apple.com/privacy - that's where their privacy policy is, and its in plain English as well ! 

    Now having said that, Apple does need to explain what's going on here, and their response to Krebs was pretty poor, but these kind of situations aren't binary: ie an organisation isn't intrinsically either perfect, or evil, with nothing in between.
    appleinsiderusercornchipneilmStrangeDayswatto_cobraPeza
  • Reply 17 of 47
    flydogflydog Posts: 1,023member
    What the heck. It seems every other month a major privacy invasion of our iPhones gets discovered. It’s almost like a built in...

    revolving back door. 

    back foot gets discovered. Said company “patches” it - only for a new opening to be “discovered” and “patched, etc. etc. 

    Really the surprising part is that you expect software to be 100% perfect and resistant to any type of hacking and security attack. 
    watto_cobra
  • Reply 18 of 47
    flydogflydog Posts: 1,023member
    This is a bunch of nonsense. Some core background services require location data, do not have an individual switch to turn them off, but turning off location services completely prevents these services from gathering location data.  About as shocking as the news that glass phones break when dropped. 

    chabigsdw2001Above_The_GodsrandominternetpersonStrangeDayswatto_cobra
  • Reply 19 of 47
    lkrupplkrupp Posts: 9,627member
    And here comes the next class action lawsuit, like death and taxes.
    mwhitecornchipmacxpresswatto_cobra
  • Reply 20 of 47
    I certainly have noticed the location services icon is on in iOS 13 even when nothing using it is open. This was not the case in any prior iOS version. A clear explanation of why this is happening is lacking from Apple. While I get that cell phones are trackable via cell etc that still does not excuse Apple adding tracking that cannot easily be turned off. Disabling location services is NOT a viable answer as it neuters many of the phones needed features. 
Sign In or Register to comment.