“We do not see any actual security implications,” an Apple engineer wrote in a response to KrebsOnSecurity. “It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled. The icon appears for system services that do not have a switch in Settings” [emphasis added].
> turning off location services app-by-app lets the system itself still utilize location services
I think this is a mischaracterisation. The menu allows you to turn off access to system services individually as well, it's not just a menu for disabling app access case-by-case. That there are some system services which don't have a toggle, while others do, is unexpected.
Everything else would have a setting to enable them to access that API, including any other system services that use location data to do anything. So the icon saying Location Services are enabled would literally just be saying "yep, this phone is communicating to GPS satellites and calculating it's location". I don't know if that's actually how this works though.
What would be the point of showing that indicator then? GPS is a passive system; there's no communication happening, just reception. The interesting case is whenever someone tries to access the location data.
Erm... In practice that's not quite true for many devices, depending on your definition of communication and the relevancy of side-channels (which may leak information).
So, first of all, Location Services is more than just GPS. It also uses cell and Wifi signals to estimate location (hence the pop-up that "enabling wifi improves location accuracy"). So using location services may affect the behavior of the cell and wifi radios.
Second, virtually all phones (and many other devices that expects to often have internet communications) use what's called "assisted GPS", which is where the satellite ephemerides and almanac are downloaded through a side channel and passed to the GPS chip (along with an estimate of the current time and location)
That greatly improves the time to first fix because the receiver knows exactly which satellites are above the horizon, and also doesn't have to wait for each satellite to broadcast its ephemeris data (ephemeris is only broadcast once per 30 second frame, and you aren't guaranteed to receive it correctly the first time).
Tangentially related to the above, there's a very interesting paper from Microsoft where they are able to recover the location of a very low duty-cycle receiver using only an estimate of the code phase relative to the internal clock (so the navigation message is never even decoded by the device).
They (of course) needed to record the ephemerides (at the "base station") during the periods where they wanted to know the receiver's position, and there are duty cycle minimums to avoid 'cycle slip' (because the receiver only knows the code phase to an ambiguity of n2pi).
Edit: Oh, here it is: https://www.microsoft.com/en-us/research/wp-content/uploads/...
Tangent: it does, however, require higher energy usage than just not computing GPS location from the incoming/passive signal.
There's a lot of weird, potentially bad stuff that could fit into this description, though. I believe Apple has had problems with "accidentally" logging location data from their phones before.
I think it would be good for us iPhone users to know what the system is doing with our location.
Not a biggy to me - but not good.
I have an older version of adblock (adblockios) that allows blocking of even apple traffic using an on-device vpn at 127.0.0.1
Even if I turn off location services completely on the phone, it will continually contact the apple location services website *.ls.apple.com
(I see all kinds of other "interesting" stuff, like sentitlement2.mobile.att.net and cs9.wac.phicdn.net that seems to be baked into the os)
I wonder if they do the same with bluetooth iBeacons, which are limited in range and would therefore precisely pinpoint your location just by resolving the beacon.
My question then is WHY? If they allow granular control over some location collection settings, but not others, and the only way to disable background collection is to turn location off entirely, then doesn't this defeat the purpose of offering granular control at all? What possible reason could there be for having it set up this way?
In my ideal scenario, Maps would have location access when open or navigating but nothing else.
Finer granularity of trust (+ve or -ve) occurs only in exceptional cases.
As with so much in life (and in tech), the greatest process efficiency occurs when you standardise a common case and manage by exception.
> Apple : "The icon appears for system services that do not have a switch in Settings"
To me, Apple is saying you can't selectively disable certain services because there isn't an option. If Location Service is enable, these services will have access to them and there's nothing to be done about it. This seems lost on the Author.
> Article Author : "it seems they are saying their phones have some system services that query your location regardless of whether one has disabled this setting individually for all apps and iOS system services."
The Author seems to miss the fact that the unknown service causing the icon to appear isn't in the list of individual settings.
\* Regardless of whether Apple should be allowing an App/Service access to Location Services, when enabled, without user consent; to their credit they aren't hiding the fact that it's happening which to me is a good thing.
It's nuanced but it's the difference between "it's happening and you have no say" versus "I'm hiding the fact that it's happening from you because you have no say".
> ... If Location Service is enable, these services will have access to them ...
> The Author seems to miss the fact that the unknown service causing the icon to appear isn't in the list of individual settings.
OK, so how do we know what this mystery service does? The obvious candidates (E911/SOS, FindMyPhone, Location-based ads, etc) all appear in the list. I think this definitely raises questions about what remaining service is asking for location, and especially what that is being used for. Given that this article is coming from a security blog, there is a definite implication of questioning the intentionality / consent of a broad setting like "location services on/off" has unknown, unlisted users [and especially when most users of such a setting have individual toggles].
We don't, Apple didn't say.
> I think this definitely raises questions about what remaining service is asking for location, and especially what that is being used for.
> Given that this article is coming from a security blog, there is a definite implication of questioning ...
What I'm saying is that the blog missed the point entirely. They're saying it's a bug and that something isn't respecting an individual setting. Apple is saying that for the particular service there IS NO INDIVIDUAL SETTING.
It definitely raises questions as you stated AND it demonstrates that even when Apple considers something above user choice, they still do not hide it. They created a means for an App/Service to access Location Services, when enabled, without user's consent BUT they didn't create a way to hide it.
If Location Services are accessed, you receive a notification.
No, shifty isn't the right word. Without knowing what App/Service is above consent and what that App/Service does, I'm reluctant to label their actions because the Notification is correctly showing something accessing Location Services and Apple admitted it's happening.
It could be something innocuous and dumb like the Location Services service periodically caches GPS Ephemeris data, and since it's accessing itself to pull that data, a notification pops up.
It could also be something like the GovernmentMandatedTracking Service periodically querying your location.
The first example isn't shifty, it's just kinda dumb. The second example could be seen as either kind of like a Warrant Canary or incompetent if unintentional. Given the fact that Apple acknowledge it, I would lean towards Warrant Canary.
I either need it on and on for that app - and it phones home without permission.
Or I have to completely turn it off.
You can turn that off.
> probably hacked by multiple foreign services
Many of us hold on to the quaint notion that computers we own should be under our control.
If so, that sounds like a terrible idea to me. Sandboxing off applications from the hardware is a key aspect of security here. My opinion: the system should collect the location data (IF the global location services switch is on) and then parse it out following the user's granular selections for what apps they want to receive it. And that seems to be exactly the case.
Obviously the OS will know my location if Location services are on, it’s a case of what it does or does not do with that data.
For the unaware, iOS 13 apparently sends the Find My iPhone location of other phones to Apple. https://www.wired.com/story/apple-find-my-cryptography-bluet...
Thus before testing one should ensure that all diagnostics are also turned off because if diagnostics are on and location global switch is on too this is indeed expected.(NB: sorry lazy to try right now on my everyday phone).
It's hard to make the claim that showing weather on the lock screen is an essential service that user's shouldn't be allowed to disable.
Interesting, this is my understanding as well and don't see how anyone can claim it is a non issue.
Now regarding why there isn't a more concrete explanation from Apple: Krebs might have published before Apple was willing to make a statement; Apple may not want to commit to this being the only use of location outside a user's explicit control in system services; or Apple might believe uses like this are fine for the system because they aren't harvesting data off-device, and they want to continue having this ability.
Since the global location services switch works as you'd expect, I think there are a lot of good faith cases to be made for Apple here. Given their secrecy, we won't know for sure, but their statement seemed to suggest that they were confident this was an acceptable use.
> Disabling EED will not affect the regular NILR process: Emergency location data requested by the user’s carrier network will still be shared in accordance with the technology and policies of the network operator, and as required by law.
That quote is from this document: Enhanced Emergency Data, Apple, August 2018 (not sure about sharing rights, but I could find it by googling that name or quote).
It (AML, NILR like service) rolled out here in Sweden last week.
I think that slider is for Apple’s SOS features, which go beyond the legal requirements:
> After an emergency call ends, your iPhone alerts your emergency contacts with a text message, unless you choose to cancel. Your iPhone sends them your current location, and, for a period of time after you enter SOS mode, it sends updates to your emergency contacts when your location changes.
I’ve been finding myself more mindful and less anxious if I just queue up a locally stored podcast when commuting or walking, or just not expecting any texts.
Software will always have flaws and while there’s always malicious software, for most people simply not turning the phone on sidesteps these issues.
It sounds to me like that's exactly the case.
- Lost devices regularly emit Bluetooth chirps with encrypted payloads
- If any iOS 13 devices hears them, it relays them to iCloud (these devices cannot decrypt them)
- My guess is that the relaying device contributes its own GPS metadata. One of the design goals of Find My is that very low-battery devices can still emit location, so it makes sense they wouldn't spin up their own GPS receivers
I regularly bike around with non-Apple Bluetooth headphones. Anecdotally, I started getting some connection breakups at iOS 13 launch that I had never experienced. I'm pretty sure this is my phone briefly giving the Bluetooth radio more time to receive these chirps, and I'm biking by one.
(I was running the iOS beta since about mid-cycle, and didn't start getting these connection glitches until after public launch)
My home automation scans BTLE to augment my presence information, and these brief interruptions sound a lot like the slight interruption I get when I bike into range of my house.
Even devices turned off.
The problem with arbitrary apps having access to location info is the hell bent desire to steal/monetize that location by sending it to their servers. My assumption is that the location indicator has no way to distinguish between "safe system use vs anything else", because people inevitably find a why to exploit any OS "cleverness" to hide malicious behavior.
Why isn't there a control I can put in control center to toggle Location Services? Instead it takes 4-5 actions to do this. I was hoping Shortcuts would make this possible, but no. It's almost as if Apple wants to make it difficult...
Without a conspiratorial slant, the mostly commonly-used services have a control center toggle, and your use case is very, very, very much an edge case. It hardly seems like a priority to create a control center toggle that will show up on everybody's phone for the one person (you) that will ever use it.
At some point, perhaps we'll be able to add arbitrary shortcuts to control center, but I doubt it.
1. Emergency services
2. Road Traffic analytics for mapping.
Emergency services aren’t supposed to ever be disabled, if I remember the specs.
It will also send your location to Apple when no app is requesting your location:
"If Location Services is on, your iPhone will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations."
Unlike on Android, you cannot get your location without sending this data to Apple:
"To use features such as these, you must enable Location Services on your iPhone"
Lineage does seem less stable than stock Android, however. I've had two apps crash, and apps never crashed on me with stock Android. But YMMV depending on what device you have and what apps you use.
Second, GPS sucks terribly in many cases. Are you inside a building? Inside a city financial core? Inside a tunnel? Also, did you know that unassisted GPS takes minutes to establish a lock even in most good cases; it is only because of the tower-provided assistance that GPS can resolve in less than a minute, ever.
Third, it doesn't matter what the location source is. The issue is what controls are in place for using the location data. And for sure relying on GPS does not solve that problem.
It's a product in the same category (mobile OS) that has a feature (privacy preserving location measurement) that another product does not.
you aren't about to get the masses moving over
You are using a strawman there. That was not my purpose in posting. This is Hacker News; I'm sharing my experience, presumably, with other intellectually curious people who might be surprised to know that a rather obscure option exists that they might not know about.
GPS sucks terribly in many cases
I think this deserves some study. I don't see why, in theory, it would need to be the case; the GPSTest app seems to do an excellent job of tracking satellites and reaquiring. The first time I used it it took ~2 minutes. But every time since it's been immediate.
It may be cynical of me, but I think I can be forgiven if don't think either Google or Apple are incentivized to fix GPS acquisition times. Continual, passive scanning of the local EM environment is much more information rich for them, and constitutes a considerable surveillance advantage. Bluetooth scanning especially allows constant, dynamic update of every person you are around. So by using these systems you're not just violating your own privacy, but anyone around you.
So, despite the downvotes, I am very proud of my comment and believe it to be quite on topic. Thanks.
Then how does every GPS device without a network connection work? I'm no GPS expert by my understanding is that GPS lock can be attained far more quickly if the device caches satellite position data and uses that to assist. That's why a Garmin watch may take 3 minutes to lock on first use (or after departing an international flight) but will subsequently lock in seconds after that.
While it's been a long, long time since I worked in the GPS field (I was a contract technical writer at Global Locate for a few months, a company that created one of the first A-GPS networks), it's my understanding that GPS receivers can cache almanac data (the basic orbital positions of GPS satellites) but not ephemeris data (more precise orbital information, including clock information, from individual satellites). To get a GPS lock, your GPS unit needs to get ephemeris data from three satellites. Assisted GPS provides initial ephemeris data over the cellular network so your phone or other cellular device can get it much faster.