Wednesday, February 1, 2023

Bypassing iOS 16.2 Location Privacy

Rodrigo Ghedin:

iFood, Brazilian largest food delivering app evaluated at USD 5.4 billion, was accessing his location when not open/in use, bypassing an iOS setting that restrict an app’s access to certain phone’s features. Even when the reader completely denied location access to it, iFood’s app continued to access his phone’s location.


An educated guess was revealed by iOS 16.3 release notes, launched on January 23th. Apple mentions a security issue in Maps in that “an app may be able to bypass Privacy preferences”.

Via Nick Heer:

I do not want to spread fear or uncertainty, but it is hard to believe iFood would be the only app interested in using location data even if the user has opted out of it. There were several privacy-related bugs fixed in this most recent round of operating system updates.

John Gruber:

If the iFood app was really doing this, why is it still in the App Store? If circumventing location privacy by exploiting a bug doesn’t get you kicked out of the store, what does?


3 Comments RSS · Twitter · Mastodon


Pretty sure the Roadie app (bought by UPS) is doing this since it shows your pin even if you have the location access off and also it can differentiate between whether it has “Always on” vs “while using “ or ask every time.

I think it’s inappropriate to assume bad intend at this point. They could just be accessing location data, assuming it would be denied if the user opted out. There is no indication any trickery is involved in triggering the bug.

Quite sure Netflix does this, too.

Leave a Comment