Apple’s iPhone 11 has sold well over the first few months since its September launch, even pushing up the firm’s share price. But the iPhone 11 Pro and possibly the iPhone 11 appear to be suffering from a rather serious location privacy flaw.
The issue was discovered by security researcher Brian Krebs, who found that Apple’s iPhone 11 Pro pings its GPS module to gather location data, even if the user has set their phone not to do so.
Get started on your cybersecurity degree at American Military University.
Krebs demoed the issue on the iPhone 11 Pro running Apple iOS 13.2.3 in a video on his website. Apple’s iOS 13 is touted as the more secure operating system option, because it gives users more control over whether apps such as Facebook and Google can access your location. But as I reported last week, Apple doesn’t necessarily apply these controls to its own apps.
In the video, Krebs shows how GPS data is collected even when individual location services are disabled in the iPhone 11 Pro’s settings. This happens even when a user has set their location services toggle to “Never.”
The issue was not present on an iPhone 8, so it is possibly hardware related. Krebs thinks it might be the result of new hardware brought in to support Wi-Fi 6, but he couldn’t confirm this was the case.
Apple’s location privacy issue: What’s the problem?
But Krebs claims it is not possible to turn off location-based system services for certain services when using the iPhone 11 Pro. “Apparently there are some system services on this model (and possibly other iPhone 11 models) which request location data and cannot be disabled by users without completely turning off location services, as the arrow icon still appears periodically even after individually disabling all system services that use location.”
When questioned about this issue, an Apple engineer told Krebs that the behavior was “expected.”
“We do not see any actual security implications. It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled. The icon appears for system services that do not have a switch in Settings.”
Krebs thinks otherwise. And, it’s not a great look for Apple. Director of cybersecurity strategy at ZeroDayLab Stuart Peck points out that only last week, Apple was being criticized for restricting developers collecting location related data. “Now it seems Apple is collecting location data through geo-tagging locations of nearby Wi-Fi hotspots and cell towers.”
Apple iPhone 11 location privacy problem: What to do
After a buggy iOS 13 has plagued many users, this latest iPhone issue isn’t going to impress even the most loyal of Apple fans. Peck says that although it’s not a security concern, it is “definitely a privacy one.”
“Apple should be more clear about why it needs to collect this information, and how it is going to be processed.”
Ethical hacker John Opdenakker agrees: “As a user I’d expect when I switch off location services for all applications and system services that Apple is no longer using my location data, but it seems that it still does.
If you own an iPhone 11 Pro, the only way you can avoid this issue is by completely disabling location services in your settings. It will seriously impact your phone’s usability but it might be worth turning the function off and back on for specific services such as maps if you are concerned.