A few weeks after a report said an Apple Maps bug was sharing users’ location with apps without consent, Apple has denied this claim with a statement. Speaking to 9to5Mac, Apple said this privacy vulnerability “could only be exploited from unsandboxed apps on macOS,” which means this vulnerability hasn’t allowed apps on iPhone to “circumvent user controls.”
Apple also added that the report saying this Apple Maps bug was sharing users’ location was incorrect, as its own investigation “concluded that the app was not circumventing users’ control through any mechanism.” Here’s the full statement:
At Apple, we firmly believe users should choose when to share their data and with whom. Last week we issued an advisory for a privacy vulnerability that could only be exploited from unsandboxed apps on macOS. The codebase that we fixed is shared by iOS and iPadOS, tvOS, and watchOS, so the fix and advisory was propagated to those operating systems as well, despite the fact that they were never at risk. The suggestion that this vulnerability could have allowed apps to circumvent user controls on iPhone is false.
A report also incorrectly suggested an iOS app was exploiting this or another vulnerability to bypass user control over location data. Our follow up investigation concluded that the app was not circumventing user controls through any mechanism.
What we know about this Apple Maps bug
At the beginning of the month, Brazilian journalist Rodrigo Ghedin reported that iFood, one of the biggest Brazilian startups that offer an Uber Eats-like service, was “peeking at iOS users’ location when it should not.”
iFood, Brazilian largest food delivering app evaluated at USD 5.4 billion, was accessing his location when not open/in use, bypassing an iOS setting that restrict an app’s access to certain phone’s features. Even when the reader completely denied location access to it, iFood’s app continued to access his phone’s location.
His report came after Apple released iOS 16.3, which addressed an Apple Maps issue where “an app may be able to bypass Privacy preferences.” With a device running iOS 16.2, he denied iFood his location, but even though the app was accessing it, according to the iPhone’s Control Center.
Now, Apple states that it was not the case, and the Maps bug wasn’t exploited, although the journalist could reproduce the issue.
That said, whether third-party apps were exploiting this Apple Maps bug or not, the best solution is to keep your device always updated.