Hacker News new | past | comments | ask | show | jobs | submit login
The iPhone 11 Pro’s Location Data Puzzler (krebsonsecurity.com)
206 points by feross on Dec 4, 2019 | hide | past | favorite | 78 comments

Not sure I see much of a story here. Turning off location services globally works as expected, but turning off location services app-by-app lets the system itself still utilize location services (for unknown system things):

“We do not see any actual security implications,” an Apple engineer wrote in a response to KrebsOnSecurity. “It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled. The icon appears for system services that do not have a switch in Settings” [emphasis added].

I don't think it's a major issue, but I think it's a reasonable expectation that turning off all services one-by-one will result in no services using your location.

> turning off location services app-by-app lets the system itself still utilize location services

I think this is a mischaracterisation. The menu allows you to turn off access to system services individually as well, it's not just a menu for disabling app access case-by-case. That there are some system services which don't have a toggle, while others do, is unexpected.

Ahh I didn't catch that last bit. Individually disabling "system services" in location services doesn't disable ALL system services. Yeah that's confusing/should be changed.

If the excluded system service is reporting location to Find My iPhone, then I’d say it’s working exactly as I’d expect.

No, the Find My iPhone service has its toggle and it's disabled.

The way I would expect this to work is that there's a system service that just generates location data and handles things like GPS radio driver communications and such, which provides an API for everything else to get location data from it.

Everything else would have a setting to enable them to access that API, including any other system services that use location data to do anything. So the icon saying Location Services are enabled would literally just be saying "yep, this phone is communicating to GPS satellites and calculating it's location". I don't know if that's actually how this works though.

> So the icon saying Location Services are enabled would literally just be saying "yep, this phone is communicating to GPS satellites and calculating it's location". I don't know if that's actually how this works though.

What would be the point of showing that indicator then? GPS is a passive system; there's no communication happening, just reception. The interesting case is whenever someone tries to access the location data.

> there's no communication happening, just reception.

Erm... In practice that's not quite true for many devices, depending on your definition of communication and the relevancy of side-channels (which may leak information).

So, first of all, Location Services is more than just GPS. It also uses cell and Wifi signals to estimate location (hence the pop-up that "enabling wifi improves location accuracy"). So using location services may affect the behavior of the cell and wifi radios.

Second, virtually all phones (and many other devices that expects to often have internet communications) use what's called "assisted GPS", which is where the satellite ephemerides and almanac are downloaded through a side channel and passed to the GPS chip (along with an estimate of the current time and location)

That greatly improves the time to first fix because the receiver knows exactly which satellites are above the horizon, and also doesn't have to wait for each satellite to broadcast its ephemeris data (ephemeris is only broadcast once per 30 second frame, and you aren't guaranteed to receive it correctly the first time).

Tangentially related to the above, there's a very interesting paper from Microsoft where they are able to recover the location of a very low duty-cycle receiver using only an estimate of the code phase relative to the internal clock (so the navigation message is never even decoded by the device).

They (of course) needed to record the ephemerides (at the "base station") during the periods where they wanted to know the receiver's position, and there are duty cycle minimums to avoid 'cycle slip' (because the receiver only knows the code phase to an ambiguity of n2pi).

Edit: Oh, here it is: https://www.microsoft.com/en-us/research/wp-content/uploads/...

Some location info is likely recorded -- logged or cached, if nothing else -- even when no app/service on device is using it. You as a user might want to be able prevent it from being generated at all. For example, if you were concerned about a government agent, such as US Customs, hoovering up those logs/caches.

> GPS is a passive system; there's no communication happening, just reception.

Tangent: it does, however, require higher energy usage than just not computing GPS location from the incoming/passive signal.

It means you can't figure out what's using it, and it makes it impossible to configure location services in a whitelisting mode. A global off switch is better than nothing, but this is bad behavior.

> (for unknown system things)

There's a lot of weird, potentially bad stuff that could fit into this description, though. I believe Apple has had problems with "accidentally" logging location data from their phones before.

I think it would be good for us iPhone users to know what the system is doing with our location.

It's certainly not what I expect as a user - turning off all the switches individually, should be equivalent to turning off the master switch - unless there is explicit guidance somewhere.

Not a biggy to me - but not good.

How do I allow maps to use my location, but disallow "system services"?

No, turning it off globally does not work as expected. the iphone will continue to contact *.ls.apple.com

I've noticed this too.

I have an older version of adblock (adblockios) that allows blocking of even apple traffic using an on-device vpn at

Even if I turn off location services completely on the phone, it will continually contact the apple location services website *.ls.apple.com

(I see all kinds of other "interesting" stuff, like sentitlement2.mobile.att.net and cs9.wac.phicdn.net that seems to be baked into the os)

I wonder if they do the same with bluetooth iBeacons, which are limited in range and would therefore precisely pinpoint your location just by resolving the beacon.

> “It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled. The icon appears for system services that do not have a switch in Settings.”

My question then is WHY? If they allow granular control over some location collection settings, but not others, and the only way to disable background collection is to turn location off entirely, then doesn't this defeat the purpose of offering granular control at all? What possible reason could there be for having it set up this way?

In my ideal scenario, Maps would have location access when open or navigating but nothing else.

Your use case may be different but personally I just want to make sure that untrustworthy third party apps (Facebook, random games, etc) don't get location access. I'm fine with Apple services having access. So for me the way it is right now does everything I need.

> I'm fine with Apple services having access.


Some folks (myself included) by default prefer to segment their trust by vendor, not by application, since it tends to be aligned anyway. For example, as per GP I'm fine with any Apple app having location access because by buying the phone I made an implicit decision to trust the company. In contrast, Facebook's stuff can fuck off into the black hole of mistrust they dug for themselves.

Finer granularity of trust (+ve or -ve) occurs only in exceptional cases.

As with so much in life (and in tech), the greatest process efficiency occurs when you standardise a common case and manage by exception.

Because they provide a very real value. "Find my iPhone" for instance.

I would still like to have the ability to examine and toggle them each individually. Currently what I do is to turn on location services when I want to use a map app, and turn them back off once I'm done. But this is inconvenient.

what services would you like to keep location turned on then? Why do you trust them to have access all the time and at the same time you don't trust apple themselves for useful features like "find my phone"?

Still doesn't answer why some Apple services have granular control and others don't. The implication in offering the controls is that you could control how the phone uses location data. Excluding some services from the controls negates the value of having controls at all.

Maybe I'm being pedantic but did the Author just not comprehend what Apple has said?

> Apple : "The icon appears for system services that do not have a switch in Settings"

To me, Apple is saying you can't selectively disable certain services because there isn't an option. If Location Service is enable, these services will have access to them and there's nothing to be done about it. This seems lost on the Author.

> Article Author : "it seems they are saying their phones have some system services that query your location regardless of whether one has disabled this setting individually for all apps and iOS system services."

The Author seems to miss the fact that the unknown service causing the icon to appear isn't in the list of individual settings.

\* Regardless of whether Apple should be allowing an App/Service access to Location Services, when enabled, without user consent; to their credit they aren't hiding the fact that it's happening which to me is a good thing.

It's nuanced but it's the difference between "it's happening and you have no say" versus "I'm hiding the fact that it's happening from you because you have no say".

>> Apple : "The icon appears for system services that do not have a switch in Settings"

> ... If Location Service is enable, these services will have access to them ...

> The Author seems to miss the fact that the unknown service causing the icon to appear isn't in the list of individual settings.

OK, so how do we know what this mystery service does? The obvious candidates (E911/SOS, FindMyPhone, Location-based ads, etc) all appear in the list. I think this definitely raises questions about what remaining service is asking for location, and especially what that is being used for. Given that this article is coming from a security blog, there is a definite implication of questioning the intentionality / consent of a broad setting like "location services on/off" has unknown, unlisted users [and especially when most users of such a setting have individual toggles].

> OK, so how do we know what this mystery service does?

We don't, Apple didn't say.

> I think this definitely raises questions about what remaining service is asking for location, and especially what that is being used for.

Yes absolutely.

> Given that this article is coming from a security blog, there is a definite implication of questioning ...

What I'm saying is that the blog missed the point entirely. They're saying it's a bug and that something isn't respecting an individual setting. Apple is saying that for the particular service there IS NO INDIVIDUAL SETTING.

It definitely raises questions as you stated AND it demonstrates that even when Apple considers something above user choice, they still do not hide it. They created a means for an App/Service to access Location Services, when enabled, without user's consent BUT they didn't create a way to hide it.

If Location Services are accessed, you receive a notification.

Regardless of this opinion on the author's understanding, don't you agree it's a little shifty that Apple is the only entity that can obtain the user's location after providing a user experience that gives the user the impression that they've disabled all location services...?

> don't you agree it's a little shifty

No, shifty isn't the right word. Without knowing what App/Service is above consent and what that App/Service does, I'm reluctant to label their actions because the Notification is correctly showing something accessing Location Services and Apple admitted it's happening.

It could be something innocuous and dumb like the Location Services service periodically caches GPS Ephemeris data, and since it's accessing itself to pull that data, a notification pops up.

It could also be something like the GovernmentMandatedTracking Service periodically querying your location.

The first example isn't shifty, it's just kinda dumb. The second example could be seen as either kind of like a Warrant Canary or incompetent if unintentional. Given the fact that Apple acknowledge it, I would lean towards Warrant Canary.

You can disable all location services. The incorrect impression is that a user has complete granular control over the use of location services.

Anyone saying it isn’t an issue - what if I want to turn location services off for everything except one app. This is impossible to do with this setup.

I either need it on and on for that app - and it phones home without permission.

Or I have to completely turn it off.

It's a non issue imo : your phone is a device that regularly transmit data to nearby cell towers to an ISP that works closely with your government and is probably hacked by multiple foreign services.

> transmit data to nearby cell towers

You can turn that off.

> probably hacked by multiple foreign services


The people saying this isn't an issue probably mean the statement with some amount of generality. What usecase are you imagining that this effects enough to be considered an actual issue?

The requirement sounds pretty clear - to use an app that relies on GPS without the rest of the OS or any other component using it.

Many of us hold on to the quaint notion that computers we own should be under our control.

Are you saying that apps should be allowed to directly access GPS antenna/hardware without the system being involved at all? Because that is the only way I see that an app could use the data without the system being in the loop at all.

If so, that sounds like a terrible idea to me. Sandboxing off applications from the hardware is a key aspect of security here. My opinion: the system should collect the location data (IF the global location services switch is on) and then parse it out following the user's granular selections for what apps they want to receive it. And that seems to be exactly the case.

No that’s not what I’m requesting. I’m requesting that there are switches for ALL the things that use my location for some purpose or send my location some place. Currently there isn’t one for the operating system doing that.

Obviously the OS will know my location if Location services are on, it’s a case of what it does or does not do with that data.

Military / covert state ops reliant on customized phone apps probably. I guess the solution is to smash the phone after like on TV.

I would bet good money that this is how their new device tracking off-line feature works. If they provided users the option to turn it off, everyone would turn it off, and no one would get the benefits of the offline device tracking. I don’t think it’s OK, and I think users should have the choice, but I’m pretty sure that’s what’s happening here.

If someone tried with iOS 12/11 and it didn't happen, this would be the most likely case.

For the unaware, iOS 13 apparently sends the Find My iPhone location of other phones to Apple. https://www.wired.com/story/apple-find-my-cryptography-bluet...

I would also wager that it's tied to find my iphone.

The screen capture is at least incomplete, there are other settings under the diagnostic section of privacy settings that clearly imply diagnostic will include locations.

Thus before testing one should ensure that all diagnostics are also turned off because if diagnostics are on and location global switch is on too this is indeed expected.(NB: sorry lazy to try right now on my everyday phone).

This still may be a step above Google's Android. Android now has Google-provided weather on the lock screen that can't be disabled. The only way for Google's weather service to show you the weather for your current location is... to send your location regularly to Google. I'm not even sure that triggers the status icon in Android.

It's hard to make the claim that showing weather on the lock screen is an essential service that user's shouldn't be allowed to disable.

It depends on what granularity we are talking about, but Google can figure out your location only by using the IP. Check the bottom of the page on your next google search results (without being logged into any account), it will show you where Google thinks your device is. It guessed without sending any GPS location or wifi metadata.

I don’t see the issue. There are hidden system services in the iPhone that can’t have their location settings individually turned off. But you can still turn off location services for all apps and this will stop location services from being granted.

Part of the problem is there is a switch for controlling location servers for "System Services" which doesn't actually shut off location access for ALL system services.

There are hidden system services in the iPhone that can’t have their location settings individually turned off.

Interesting, this is my understanding as well and don't see how anyone can claim it is a non issue.

Example: location is used to comply with the law in some countries where radio features can’t be used in certain areas.

Is there really such a law? It could be communicated as legal compliance, instead of saying it is a non issue.

I don't know specifically which ones might apply to iPhone, but there are laws in the field I work in where radios cannot be operated near designated airfields or offshore, forcing us to add GPS when we would otherwise not have. This would also be consistent with reports saying this only occurs on the newest iPhones that have additional radios than before like ultra-wideband. There are other laws like E911 reporting which may also apply.

Now regarding why there isn't a more concrete explanation from Apple: Krebs might have published before Apple was willing to make a statement; Apple may not want to commit to this being the only use of location outside a user's explicit control in system services; or Apple might believe uses like this are fine for the system because they aren't harvesting data off-device, and they want to continue having this ability.

Since the global location services switch works as you'd expect, I think there are a lot of good faith cases to be made for Apple here. Given their secrecy, we won't know for sure, but their statement seemed to suggest that they were confident this was an acceptable use.

There is some speculation that this is related to E911, but I'd like to hear from some smart (non-speculating) person from the HN crowd with more information.

There is actually a toggle for Emergency Services, and it was set to off for the test.

Yes, you can disable supplementary data (Location from WiFi Hotspots nearby) but not NILR (Network Initiated Location Request).

> Disabling EED will not affect the regular NILR process: Emergency location data requested by the user’s carrier network will still be shared in accordance with the technology and policies of the network operator, and as required by law.

That quote is from this document: Enhanced Emergency Data, Apple, August 2018 (not sure about sharing rights, but I could find it by googling that name or quote).

It (AML, NILR like service) rolled out here in Sweden last week.

E911 compliance is a legal requirement. It would be against the law for that slider to turn that off.

I think that slider is for Apple’s SOS features, which go beyond the legal requirements:


> After an emergency call ends, your iPhone alerts your emergency contacts with a text message, unless you choose to cancel. Your iPhone sends them your current location, and, for a period of time after you enter SOS mode, it sends updates to your emergency contacts when your location changes.

I think more folks should consider turning off their phones when not using them (or at least enable airplane mode and disable networking)

I’ve been finding myself more mindful and less anxious if I just queue up a locally stored podcast when commuting or walking, or just not expecting any texts.

Software will always have flaws and while there’s always malicious software, for most people simply not turning the phone on sidesteps these issues.

I honestly don't give a damn if my phone checks it's location occasionally, I don't think anyone does. What they care about is whether that data is logged and shared externally. Does Apple get this data? If not then to me this is a non-story.

It sounds to me like that's exactly the case.

This makes sense if you take into account the newer iteration of Find My, which has been discussed technically on HN before.

Loaded comments page to post this same thing. For some extra info, based on my understanding of the mechanism:

- Lost devices regularly emit Bluetooth chirps with encrypted payloads

- If any iOS 13 devices hears them, it relays them to iCloud (these devices cannot decrypt them)

- My guess is that the relaying device contributes its own GPS metadata. One of the design goals of Find My is that very low-battery devices can still emit location, so it makes sense they wouldn't spin up their own GPS receivers

I regularly bike around with non-Apple Bluetooth headphones. Anecdotally, I started getting some connection breakups at iOS 13 launch that I had never experienced. I'm pretty sure this is my phone briefly giving the Bluetooth radio more time to receive these chirps, and I'm biking by one.

(I was running the iOS beta since about mid-cycle, and didn't start getting these connection glitches until after public launch)

My home automation scans BTLE to augment my presence information, and these brief interruptions sound a lot like the slight interruption I get when I bike into range of my house.

This feature requires at least 2 iCloud devices to work per this [0] article. In developing countries people only (mosty) got iPhone as their iCloud ecosystem.


> If any iOS 13 devices hears them

Even devices turned off.

Could be related to the new 'Find My' functionality where iPhones report the location of devices from strangers around them [1].

[1]: https://i.blackhat.com/USA-19/Thursday/us-19-Krstic-Behind-T....

Presumably the "not a security issue" is implying that it's not being sent off device - I could imagine things pre-caching location info (does photo location have a switch? opening maps to correct location?).

The problem with arbitrary apps having access to location info is the hell bent desire to steal/monetize that location by sending it to their servers. My assumption is that the location indicator has no way to distinguish between "safe system use vs anything else", because people inevitably find a why to exploit any OS "cleverness" to hide malicious behavior.

Somewhat related: I want Location Services on when navigating and off at almost all other times.

Why isn't there a control I can put in control center to toggle Location Services? Instead it takes 4-5 actions to do this. I was hoping Shortcuts would make this possible, but no. It's almost as if Apple wants to make it difficult...

IIRC you can do it in one step by telling Siri to do it. Not ideal, obviously. You might be able to create a shortcut to tell Siri to do it, which would then make it a one click option, not in control center but on your home screen.

> It's almost as if Apple wants to make it difficult...

Without a conspiratorial slant, the mostly commonly-used services have a control center toggle, and your use case is very, very, very much an edge case. It hardly seems like a priority to create a control center toggle that will show up on everybody's phone for the one person (you) that will ever use it.

At some point, perhaps we'll be able to add arbitrary shortcuts to control center, but I doubt it.

Forums suggest that there are others who are also interested in this ability.

Two reasons that come to mind.

1. Emergency services

2. Road Traffic analytics for mapping.

Emergency services aren’t supposed to ever be disabled, if I remember the specs.

It's weird since they are forcing opt-in in this feature if you want to use your GPS functionality in anything else. A force packaging of software features. Allowing it to be disabled like any other system service would be optimal.

The bigger issue is that if you want any app to get your location on iOS, you also consent to sending your location to Apple, and there is no way to turn this off.

There's no indication anywhere that your location data is being sent to Apple in this scenario, and Apple has very explicitly documented when and for wht reasons location data is sent to them.

"By enabling Location Services for your devices, you agree and consent to the transmission, collection, maintenance, processing, and use of your location data and location search queries by Apple and its partners and licensees to provide and improve location-based and road traffic-based products and services."

It will also send your location to Apple when no app is requesting your location:

"If Location Services is on, your iPhone will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations."

Unlike on Android, you cannot get your location without sending this data to Apple:

"To use features such as these, you must enable Location Services on your iPhone"


I think this would be more interesting if it was found out that the location data also went to a remote server.

I've been playing around with LineageOS [1] (a FOSS fork of Android) and FDroid (the FOSS App/Play Store) and I have to admit I'm impressed. There aren't a lot of apps but what there are are what I want: minimal, open, and useful. The OS itself has a far more thoughtful UX than stock Android in certain pleasantly surprising ways. But one thing you absolutely CAN do is totally turn off Google Location Services (which continuously scans Wifi and Bluetooth), or not even install them in the first place. Thanks to a neat app called "GPSTest" you can see just how good the GPS is on these devices, and it angers me that Apple and Google both make it so hard to do the natural, privacy preserving thing, which is to rely purely on GPS. It's like having your cake and eating it too! (One neat thing you could do if you can't see a satellite is to cobble something together from an accelerometer timeline starting when you're out of range)

Lineage does seem less stable than stock Android, however. I've had two apps crash, and apps never crashed on me with stock Android. But YMMV depending on what device you have and what apps you use.

[1] https://www.lineageos.org/

You're missing the mark here by quite a bit. First of all, LineageOS has nothing to do with iOS and you aren't about to get the masses moving over to LineageOS any time soon. Feel free to tinker, but know that it is not an answer to Apple's iOS.

Second, GPS sucks terribly in many cases. Are you inside a building? Inside a city financial core? Inside a tunnel? Also, did you know that unassisted GPS takes minutes to establish a lock even in most good cases; it is only because of the tower-provided assistance that GPS can resolve in less than a minute, ever.

Third, it doesn't matter what the location source is. The issue is what controls are in place for using the location data. And for sure relying on GPS does not solve that problem.

LineageOS has nothing to do with iOS

It's a product in the same category (mobile OS) that has a feature (privacy preserving location measurement) that another product does not.

you aren't about to get the masses moving over

You are using a strawman there. That was not my purpose in posting. This is Hacker News; I'm sharing my experience, presumably, with other intellectually curious people who might be surprised to know that a rather obscure option exists that they might not know about.

GPS sucks terribly in many cases

I think this deserves some study. I don't see why, in theory, it would need to be the case; the GPSTest app seems to do an excellent job of tracking satellites and reaquiring. The first time I used it it took ~2 minutes. But every time since it's been immediate.

It may be cynical of me, but I think I can be forgiven if don't think either Google or Apple are incentivized to fix GPS acquisition times. Continual, passive scanning of the local EM environment is much more information rich for them, and constitutes a considerable surveillance advantage. Bluetooth scanning especially allows constant, dynamic update of every person you are around. So by using these systems you're not just violating your own privacy, but anyone around you.

So, despite the downvotes, I am very proud of my comment and believe it to be quite on topic. Thanks.

> Also, did you know that unassisted GPS takes minutes to establish a lock even in most good cases; it is only because of the tower-provided assistance that GPS can resolve in less than a minute, ever.

Then how does every GPS device without a network connection work? I'm no GPS expert by my understanding is that GPS lock can be attained far more quickly if the device caches satellite position data and uses that to assist. That's why a Garmin watch may take 3 minutes to lock on first use (or after departing an international flight) but will subsequently lock in seconds after that.

I think the assertion about unassisted GPS taking minutes to establish a lock in good cases simply isn't correct; my car's in-dash navigation system will often take minutes to establish a satellite lock if it starts up in a garage, but if it starts up outside, it's often well under half a minute. (Ephemeris data is broadcast from satellites every 30 seconds.)

While it's been a long, long time since I worked in the GPS field (I was a contract technical writer at Global Locate for a few months, a company that created one of the first A-GPS networks), it's my understanding that GPS receivers can cache almanac data (the basic orbital positions of GPS satellites) but not ephemeris data (more precise orbital information, including clock information, from individual satellites). To get a GPS lock, your GPS unit needs to get ephemeris data from three satellites. Assisted GPS provides initial ephemeris data over the cellular network so your phone or other cellular device can get it much faster.

Agreed; it seems obvious to me that location needs improvement in a lot of cases. When I use an app like Lyft I am now careful to avoid using "current location" because even when it looks roughly accurate one second the app might use a different location reading a second later that is across the street and down the block.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact