iOS 16.3 was released to the general public last month, and among other new features, it also included a variety of security updates. One of those fixes addressed an Apple Maps privacy bug that could have allowed an app to “bypass Privacy preferences.”
In a statement to 9to5Mac on Friday, Apple clarified that iPhone users “were never at risk” because of this vulnerability. The company also refuted a report that said a Brazillian food delivery app was accessing user location without permission in iOS 16.2.
iPhone’s lack of side loading saved it from Mac privacy bug
Apple says that the Maps vulnerability patched last week “could only be exploited from unsandboxed apps on macOS.” The fix was included in all of Apple’s software updates last week simply because that codebase is shared by iOS and iPadOS, tvOS, and watchOS as well.
“The suggestion that this vulnerability could have allowed apps to circumvent user controls on iPhone is false,” Apple says in its statement.
With this clarification in mind, Apple also refutes a report that said an iPhone app was caught exploiting a vulnerability to “bypass user control over location data.” This is in reference to a report from last week that said iFood, one of the leading food delivery apps in Brazil, was “accessing a user’s location in iOS 16.2 even when the user denied the app all location access.”
In its accusation, last week’s report didn’t make it clear if iFood was exploiting the aforementioned Apple Maps vulnerability (again, which could have only been exploited on macOS), or something different. Regardless, Apple says that its “follow up investigation concluded that the app was not circumventing user controls through any mechanism.”
Apple’s full statement to 9to5Mac is below:
At Apple, we firmly believe users should choose when to share their data and with whom. Last week we issued an advisory for a privacy vulnerability that could only be exploited from unsandboxed apps on macOS. The codebase that we fixed is shared by iOS and iPadOS, tvOS, and watchOS, so the fix and advisory was propagated to those operating systems as well, despite the fact that they were never at risk. The suggestion that this vulnerability could have allowed apps to circumvent user controls on iPhone is false.
A report also incorrectly suggested an iOS app was exploiting this or another vulnerability to bypass user control over location data. Our follow up investigation concluded that the app was not circumventing user controls through any mechanism.
The Apple Maps vulnerability patched last month was reported to Apple by an anonymous researcher. The Apple Security Bounty program encourages security researchers to submit their findings to Apple. The program also offers rewards to security researchers who help Apple in its efforts to “protect the security and privacy of users.”
FTC: We use income earning auto affiliate links. More.