The Apple Maps vulnerability, referenced as CVE-2023-23503, has been marked as “RESERVED,” meaning details of the bug have not been made public. An Apple blog post highlighting the iOS 16.3 security content indicates that the bug was reported by an anonymous researcher. At this time, Apple is yet to shed more light on the vulnerability or confirm reports that iFood was tracking users’ locations. It’s also unclear if any other apps were exploiting this vulnerability. iFood has a current market value of $5.4 billion and delivered over 60 million monthly orders during the Covid pandemic.
iFood Privacy Bypass
Brazilian journalist Rodrigo Ghedin said a reader of his blog informed him about the potential exploit. The reader noticed that the iFood app ignored their iPhone’s privacy preferences. iFood continued to access their location data even after the reader completely denied the app permission from their iPhone’s Location Services Settings. The reader said that resetting the device and subsequently updating to iOS 16.3 apparently solved the issue. Ghedin reached out to iFood regarding the issue. On Feb. 1, the company responded to him, saying the app only collects data as per its privacy policy. “In this case, after careful analysis by the technology team, no code was identified in the iFood application that allows access to the user’s location without authorization, but even so, the company remains available to clarify any questions on the subject or any alleged failure, in order to contribute to bringing more security to the platform,” the company told Ghedin. Most delivery apps request access to users’ location data to estimate their distance and determine delivery time. iFood’s privacy policy says users need to provide their location to receive an order. “This location can be provided by the address you enter manually in the application, or through the location obtained from your device via GPS and mobile networks (cell towers, Wi-Fi and other location modalities) and confirmed by you,” iFood’s privacy policy reads. Apple will most likely release more information about the Maps bug once the company deems that releasing details doesn’t pose a threat to iPhone users. “For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,” the company said in the blog.
Privacy and Anonymity on iOS Devices
Apple markets itself as a privacy-first organization. In 2021, the tech giant introduced the App Tracking Transparency feature, which allowed users to block apps from tracking their activity on other applications. Last year, Apple also released other noteworthy security features such as Security Keys for Apple ID, iMessage Contact Key Verification, and Advanced Data Protection for iCloud. Most recently, Apple added support for hardware security keys with iOS 16.3. Despite these efforts, Apple’s iOS is not impervious to security vulnerabilities. Last year, cybersecurity researchers found that iOS devices leak network traffic data outside a VPN tunnel. Apple services, such as the App Store, Health, Maps, and Wallet, are among the apps that send certain data outside a VPN connection. We strongly recommend that you update your iPhone with the latest version of Apple’s iOS and review your app permissions. Interested in learning more about iPhone security? Check out our comparison of iPhone vs Android security.