
The iPhone 11 Pro’s Location Data Puzzler - feross
https://krebsonsecurity.com/2019/12/the-iphone-11-pros-location-data-puzzler/
======
dkokelley
Not sure I see much of a story here. Turning off location services globally
works as expected, but turning off location services app-by-app lets the
system itself still utilize location services (for unknown system things):

 _“We do not see any actual security implications,” an Apple engineer wrote in
a response to KrebsOnSecurity. “It is expected behavior that the Location
Services icon appears in the status bar when Location Services is enabled. The
icon appears for system services that do not have a switch in Settings”
[emphasis added]._

~~~
wyattpeak
I don't think it's a major issue, but I think it's a reasonable expectation
that turning off all services one-by-one will result in no services using your
location.

> turning off location services app-by-app lets the system itself still
> utilize location services

I think this is a mischaracterisation. The menu allows you to turn off access
to system services individually as well, it's not just a menu for disabling
app access case-by-case. That there are some system services which don't have
a toggle, while others do, is unexpected.

~~~
dkokelley
Ahh I didn't catch that last bit. Individually disabling "system services" in
location services doesn't disable ALL system services. Yeah that's
confusing/should be changed.

~~~
sjwright
If the excluded system service is reporting location to Find My iPhone, then
I’d say it’s working exactly as I’d expect.

~~~
dvfjsdhgfv
No, the Find My iPhone service has its toggle and it's disabled.

------
m463
I've noticed this too.

I have an older version of adblock (adblockios) that allows blocking of even
apple traffic using an on-device vpn at 127.0.0.1

Even if I turn off location services completely on the phone, it will
continually contact the apple location services website *.ls.apple.com

(I see all kinds of other "interesting" stuff, like
sentitlement2.mobile.att.net and cs9.wac.phicdn.net that seems to be baked
into the os)

I wonder if they do the same with bluetooth iBeacons, which are limited in
range and would therefore precisely pinpoint your location just by resolving
the beacon.

------
rubbingalcohol
> “It is expected behavior that the Location Services icon appears in the
> status bar when Location Services is enabled. The icon appears for system
> services that do not have a switch in Settings.”

My question then is WHY? If they allow granular control over some location
collection settings, but not others, and the only way to disable background
collection is to turn location off _entirely_ , then doesn't this defeat the
purpose of offering granular control at all? What possible reason could there
be for having it set up this way?

In my ideal scenario, Maps would have location access when open or navigating
but nothing else.

~~~
DangerousPie
Your use case may be different but personally I just want to make sure that
untrustworthy third party apps (Facebook, random games, etc) don't get
location access. I'm fine with Apple services having access. So for me the way
it is right now does everything I need.

~~~
soperj
> I'm fine with Apple services having access.

Why?

~~~
jaywalk
Because they provide a very real value. "Find my iPhone" for instance.

~~~
earenndil
I would still like to have the ability to examine and toggle them each
individually. Currently what I do is to turn on location services when I want
to use a map app, and turn them back off once I'm done. But this is
inconvenient.

~~~
notnap
what services would you like to keep location turned on then? Why do you trust
them to have access all the time and at the same time you don't trust apple
themselves for useful features like "find my phone"?

------
cptskippy
Maybe I'm being pedantic but did the Author just not comprehend what Apple has
said?

> Apple : "The icon appears for system services that do not have a switch in
> Settings"

To me, Apple is saying you can't selectively disable certain services because
there isn't an option. If Location Service is enable, these services will have
access to them and there's nothing to be done about it. This seems lost on the
Author.

> Article Author : "it seems they are saying their phones have some system
> services that query your location regardless of whether one has disabled
> this setting individually for all apps and iOS system services."

The Author seems to miss the fact that the unknown service causing the icon to
appear isn't in the list of individual settings.

\\* Regardless of whether Apple should be allowing an App/Service access to
Location Services, when enabled, without user consent; to their credit they
aren't hiding the fact that it's happening which to me is a good thing.

It's nuanced but it's the difference between "it's happening and you have no
say" versus "I'm hiding the fact that it's happening from you because you have
no say".

~~~
DaveSchmindel
Regardless of this opinion on the author's understanding, don't you agree it's
a little shifty that Apple is the only entity that can obtain the user's
location after providing a user experience that gives the user the impression
that they've disabled all location services...?

~~~
cptskippy
> don't you agree it's a little shifty

No, shifty isn't the right word. Without knowing what App/Service is above
consent and what that App/Service does, I'm reluctant to label their actions
because the Notification is correctly showing something accessing Location
Services and Apple admitted it's happening.

It could be something innocuous and dumb like the Location Services service
periodically caches GPS Ephemeris data, and since it's accessing itself to
pull that data, a notification pops up.

It could also be something like the GovernmentMandatedTracking Service
periodically querying your location.

The first example isn't shifty, it's just kinda dumb. The second example could
be seen as either kind of like a Warrant Canary or incompetent if
unintentional. Given the fact that Apple acknowledge it, I would lean towards
Warrant Canary.

------
jonplackett
Anyone saying it isn’t an issue - what if I want to turn location services off
for everything except one app. This is impossible to do with this setup.

I either need it on and on for that app - and it phones home without
permission.

Or I have to completely turn it off.

~~~
hdhdhe3i
The people saying this isn't an issue probably mean the statement with some
amount of generality. What usecase are you imagining that this effects enough
to be considered an actual issue?

~~~
_jal
The requirement sounds pretty clear - to use an app that relies on GPS without
the rest of the OS or any other component using it.

Many of us hold on to the quaint notion that computers we own should be under
our control.

~~~
ducadveritatem
Are you saying that apps should be allowed to directly access GPS
antenna/hardware without the system being involved at all? Because that is the
only way I see that an app could use the data without the system being in the
loop _at all_.

If so, that sounds like a _terrible_ idea to me. Sandboxing off applications
from the hardware is a key aspect of security here. My opinion: the system
should collect the location data (IF the global location services switch is
on) and then parse it out following the user's granular selections for what
apps they want to receive it. And that seems to be exactly the case.

~~~
jonplackett
No that’s not what I’m requesting. I’m requesting that there are switches for
ALL the things that use my location for some purpose or send my location some
place. Currently there isn’t one for the operating system doing that.

Obviously the OS will know my location if Location services are on, it’s a
case of what it does or does not do with that data.

------
givinguflac
I would bet good money that this is how their new device tracking off-line
feature works. If they provided users the option to turn it off, everyone
would turn it off, and no one would get the benefits of the offline device
tracking. I don’t think it’s OK, and I think users should have the choice, but
I’m pretty sure that’s what’s happening here.

~~~
judge2020
If someone tried with iOS 12/11 and it didn't happen, this would be the most
likely case.

For the unaware, iOS 13 apparently sends the Find My iPhone location of other
phones to Apple. [https://www.wired.com/story/apple-find-my-cryptography-
bluet...](https://www.wired.com/story/apple-find-my-cryptography-bluetooth/)

------
Twisell
The screen capture is at least incomplete, there are other settings under the
diagnostic section of privacy settings that clearly imply diagnostic will
include locations.

Thus before testing one should ensure that all diagnostics are also turned off
because if diagnostics are on and location global switch is on too this is
indeed expected.(NB: sorry lazy to try right now on my everyday phone).

------
markstos
This still may be a step above Google's Android. Android now has Google-
provided weather on the lock screen that can't be disabled. The only way for
Google's weather service to show you the weather for your current location
is... to send your location regularly to Google. I'm not even sure that
triggers the status icon in Android.

It's hard to make the claim that showing weather on the lock screen is an
essential service that user's shouldn't be allowed to disable.

~~~
antpls
It depends on what granularity we are talking about, but Google can figure out
your location only by using the IP. Check the bottom of the page on your next
google search results (without being logged into any account), it will show
you where Google thinks your device is. It guessed without sending any GPS
location or wifi metadata.

------
webninja
I don’t see the issue. There are hidden system services in the iPhone that
can’t have their location settings individually turned off. But you can still
turn off location services for all apps and this will stop location services
from being granted.

~~~
a_imho
_There are hidden system services in the iPhone that can’t have their location
settings individually turned off._

Interesting, this is my understanding as well and don't see how anyone can
claim it is a non issue.

~~~
shuckles
Example: location is used to comply with the law in some countries where radio
features can’t be used in certain areas.

~~~
a_imho
Is there really such a law? It could be communicated as legal compliance,
instead of saying it is a non issue.

~~~
shuckles
I don't know specifically which ones might apply to iPhone, but there are laws
in the field I work in where radios cannot be operated near designated
airfields or offshore, forcing us to add GPS when we would otherwise not have.
This would also be consistent with reports saying this only occurs on the
newest iPhones that have additional radios than before like ultra-wideband.
There are other laws like E911 reporting which may also apply.

Now regarding why there isn't a more concrete explanation from Apple: Krebs
might have published before Apple was willing to make a statement; Apple may
not want to commit to this being the only use of location outside a user's
explicit control in system services; or Apple might believe uses like this are
fine for the system because they aren't harvesting data off-device, and they
want to continue having this ability.

Since the global location services switch works as you'd expect, I think there
are a lot of good faith cases to be made for Apple here. Given their secrecy,
we won't know for sure, but their statement seemed to suggest that they were
confident this was an acceptable use.

------
reaperducer
There is some speculation that this is related to E911, but I'd like to hear
from some smart (non-speculating) person from the HN crowd with more
information.

~~~
zaroth
There is actually a toggle for Emergency Services, and it was set to off for
the test.

~~~
tapland
Yes, you can disable supplementary data (Location from WiFi Hotspots nearby)
but not NILR (Network Initiated Location Request).

> Disabling EED will not affect the regular NILR process: Emergency location
> data requested by the user’s carrier network will still be shared in
> accordance with the technology and policies of the network operator, and as
> required by law.

That quote is from this document: Enhanced Emergency Data, Apple, August 2018
(not sure about sharing rights, but I could find it by googling that name or
quote).

It (AML, NILR like service) rolled out here in Sweden last week.

------
dontbenebby
I think more folks should consider turning off their phones when not using
them (or at least enable airplane mode and disable networking)

I’ve been finding myself more mindful and less anxious if I just queue up a
locally stored podcast when commuting or walking, or just not expecting any
texts.

Software will always have flaws and while there’s always malicious software,
for most people simply not turning the phone on sidesteps these issues.

------
ogre_codes
I honestly don't give a damn if my phone checks it's location occasionally, I
don't think anyone does. What they care about is whether that data is logged
and shared externally. Does Apple get this data? If not then to me this is a
non-story.

It sounds to me like that's exactly the case.

------
mikorym
This makes sense if you take into account the newer iteration of Find My,
which has been discussed technically on HN before.

~~~
matthew-wegner
Loaded comments page to post this same thing. For some extra info, based on my
understanding of the mechanism:

\- Lost devices regularly emit Bluetooth chirps with encrypted payloads

\- If _any_ iOS 13 devices hears them, it relays them to iCloud (these devices
cannot decrypt them)

\- My guess is that the relaying device contributes its own GPS metadata. One
of the design goals of Find My is that very low-battery devices can still emit
location, so it makes sense they wouldn't spin up their own GPS receivers

I regularly bike around with non-Apple Bluetooth headphones. Anecdotally, I
started getting some connection breakups at iOS 13 launch that I had never
experienced. I'm pretty sure this is my phone briefly giving the Bluetooth
radio more time to receive these chirps, and I'm biking by one.

(I was running the iOS beta since about mid-cycle, and didn't start getting
these connection glitches until after public launch)

My home automation scans BTLE to augment my presence information, and these
brief interruptions sound a lot like the slight interruption I get when I bike
into range of my house.

~~~
mrunseen
This feature requires at least 2 iCloud devices to work per this [0] article.
In developing countries people only (mosty) got iPhone as their iCloud
ecosystem.

[0][https://www.wired.com/story/apple-find-my-cryptography-
bluet...](https://www.wired.com/story/apple-find-my-cryptography-bluetooth/)

------
troberti
Could be related to the new 'Find My' functionality where iPhones report the
location of devices from strangers around them [1].

[1]: [https://i.blackhat.com/USA-19/Thursday/us-19-Krstic-
Behind-T...](https://i.blackhat.com/USA-19/Thursday/us-19-Krstic-Behind-The-
Scenes-Of-IOS-And-Mas-Security.pdf).

------
olliej
Presumably the "not a security issue" is implying that it's not being sent off
device - I could imagine things pre-caching location info (does photo location
have a switch? opening maps to correct location?).

The problem with arbitrary apps having access to location info is the hell
bent desire to steal/monetize that location by sending it to their servers. My
assumption is that the location indicator has no way to distinguish between
"safe system use vs anything else", because people inevitably find a why to
exploit any OS "cleverness" to hide malicious behavior.

------
mhb
Somewhat related: I want Location Services on when navigating and off at
almost all other times.

Why isn't there a control I can put in control center to toggle Location
Services? Instead it takes 4-5 actions to do this. I was hoping Shortcuts
would make this possible, but no. It's almost as if Apple wants to make it
difficult...

~~~
pwinnski
> It's almost as if Apple wants to make it difficult...

Without a conspiratorial slant, the mostly commonly-used services have a
control center toggle, and your use case is very, very, very much an edge
case. It hardly seems like a priority to create a control center toggle that
will show up on everybody's phone for the one person (you) that will ever use
it.

At some point, perhaps we'll be able to add arbitrary shortcuts to control
center, but I doubt it.

~~~
mhb
Forums suggest that there are others who are also interested in this ability.

------
convivialdingo
Two reasons that come to mind.

1\. Emergency services

2\. Road Traffic analytics for mapping.

Emergency services aren’t supposed to ever be disabled, if I remember the
specs.

------
lalos
It's weird since they are forcing opt-in in this feature if you want to use
your GPS functionality in anything else. A force packaging of software
features. Allowing it to be disabled like any other system service would be
optimal.

------
lern_too_spel
The bigger issue is that if you want _any_ app to get your location on iOS,
you also consent to sending your location to Apple, and there is no way to
turn this off.

~~~
djrogers
There's no indication anywhere that your location data is being sent to Apple
in this scenario, and Apple has very explicitly documented when and for wht
reasons location data is sent to them.

~~~
lern_too_spel
"By enabling Location Services for your devices, you agree and consent to the
transmission, collection, maintenance, processing, and use of your location
data and location search queries by Apple and its partners and licensees to
provide and improve location-based and road traffic-based products and
services."

It will also send your location to Apple when no app is requesting your
location:

"If Location Services is on, your iPhone will periodically send the geo-tagged
locations of nearby Wi-Fi hotspots and cell towers in an anonymous and
encrypted form to Apple, to be used for augmenting this crowd-sourced database
of Wi-Fi hotspot and cell tower locations."

Unlike on Android, you cannot get your location without sending this data to
Apple:

"To use features such as these, you must enable Location Services on your
iPhone"

[https://support.apple.com/en-us/HT207056](https://support.apple.com/en-
us/HT207056)

------
st3fan
I think this would be more interesting if it was found out that the location
data also went to a remote server.

------
javajosh
I've been playing around with LineageOS [1] (a FOSS fork of Android) and
FDroid (the FOSS App/Play Store) and I have to admit I'm impressed. There
aren't a lot of apps but what there are are what I want: minimal, open, and
useful. The OS itself has a far more thoughtful UX than stock Android in
certain pleasantly surprising ways. But one thing you absolutely CAN do is
totally turn off Google Location Services (which continuously scans Wifi and
Bluetooth), or not even install them in the first place. Thanks to a neat app
called "GPSTest" you can _see just how good the GPS is_ on these devices, and
it angers me that Apple and Google both make it so hard to do the natural,
privacy preserving thing, which is to rely purely on GPS. It's like having
your cake and eating it too! (One neat thing you could do if you can't see a
satellite is to cobble something together from an accelerometer timeline
starting when you're out of range)

Lineage does seem less stable than stock Android, however. I've had two apps
crash, and apps _never_ crashed on me with stock Android. But YMMV depending
on what device you have and what apps you use.

[1] [https://www.lineageos.org/](https://www.lineageos.org/)

~~~
bdamm
You're missing the mark here by quite a bit. First of all, LineageOS has
nothing to do with iOS and you aren't about to get the masses moving over to
LineageOS any time soon. Feel free to tinker, but know that it is not an
answer to Apple's iOS.

Second, GPS sucks terribly in many cases. Are you inside a building? Inside a
city financial core? Inside a tunnel? Also, did you know that unassisted GPS
takes _minutes_ to establish a lock even in most good cases; it is only
because of the tower-provided assistance that GPS can resolve in less than a
minute, ever.

Third, it doesn't matter what the location source is. The issue is what
controls are in place for using the location data. And for sure relying on GPS
does not solve that problem.

~~~
iamaelephant
> Also, did you know that unassisted GPS takes minutes to establish a lock
> even in most good cases; it is only because of the tower-provided assistance
> that GPS can resolve in less than a minute, ever.

Then how does every GPS device without a network connection work? I'm no GPS
expert by my understanding is that GPS lock can be attained far more quickly
if the device caches satellite position data and uses that to assist. That's
why a Garmin watch may take 3 minutes to lock on first use (or after departing
an international flight) but will subsequently lock in seconds after that.

~~~
chipotle_coyote
I think the assertion about unassisted GPS taking minutes to establish a lock
in good cases simply isn't correct; my car's in-dash navigation system will
often take minutes to establish a satellite lock if it starts up in a garage,
but if it starts up outside, it's often well under half a minute. (Ephemeris
data is broadcast from satellites every 30 seconds.)

While it's been a long, long time since I worked in the GPS field (I was a
contract technical writer at Global Locate for a few months, a company that
created one of the first A-GPS networks), it's my understanding that GPS
receivers can cache almanac data (the basic orbital positions of GPS
satellites) but not ephemeris data (more precise orbital information,
including clock information, from individual satellites). To get a GPS lock,
your GPS unit needs to get ephemeris data from three satellites. Assisted GPS
provides initial ephemeris data over the cellular network so your phone or
other cellular device can get it much faster.

