Apple iPhone 11 Pro 'can override location settings'
- Published
Apple's flagship iPhone 11 Pro tracks users' locations even when they have set it not to, a security researcher has discovered.
Brian Krebs found that the phone collects data about a user's position even if location sharing has been turned off in every individual app.
However, the user could avoid being tracked if the entire system was set to never share location.
Apple said it was "expected behaviour" and denied it was a security problem.
The company has made big play, external of the fact that it allows users granular control over sharing their location - so for instance they can have location switched on for Maps but off for everything else.
Mr Krebs found users could disable all location services entirely via Settings>Privacy>Location Services, but if they chose the individual controls, they might still be tracked.
'Expected behaviour'
"One of the more curious behaviours of Apple's new iPhone 11 Pro is that it intermittently seeks the user's location information even when all applications and system services on the phone are individually set to never request this data," Mr Krebs wrote on his blog, external.
He contacted Apple to report the issue, sharing a video which showed the location services icon on, even though every app and system service was set to "never request" this information.
An engineer replied: "We do not see any actual security implications. It is expected behaviour that the locations services icon appears in the status bar when location services is enabled," adding that some system services "do not have a switch in Settings".
That, argued Mr Krebs "seems at odds with the company's own privacy policy".
In 2018, Google was found to be recording locations even when users had asked it not to.
In a report from Associated Press, a Princeton University researcher tracked his daily commute and found that Google saved location markers even though location history had been turned off.
To disable this entirely, users had to switch off another setting called Web and App Activity, which was enabled by default and did not mention location data.
- Published10 September 2019