Hacker News new | past | comments | ask | show | jobs | submit login
Apple Explains Mysterious iPhone 11 Location Requests (krebsonsecurity.com)
299 points by feross 9 months ago | hide | past | favorite | 162 comments



The surprisingly positive aspect of this is that a piece of system software which is checking for location, which there is no toggle for in System Services, which nobody even new existed at all...

...still makes the the Location Services icon flash! The Location Services icon really does flash when anything uses Location Services, apparently.

This is no trivial thing to be thankful for, and hardly something I'm confident will be universally true forever.


Yeah, there's been cases where "This light means the webcam is active" and "This hardware switch toggles the WiFi on and off" were overridable.

Well, then again, I don't want an Alexa or Google Home, but I don't mind having an always-on Android phone with a microphone and 2 cameras...


> I don't mind having an always-on Android phone with a microphone and 2 cameras...

I'm not happy that I don't have the option of a hardware switch to disable the cameras and mics on a phone, but I can do everything a smart speaker does without bugging my home in the process.

If a company like samsung, LG, or Motorola offered a phone that really took user privacy seriously I think they'd find a lot of people would be interested, but until then I just have to assume my phone is spying on me at all times and I limit how I use it and what data I enter into it as a result.


The reason I bought an iPhone was that in my eyes I'm picking the lesser evil: only Apple is spying on me. While in Android's case it's Google, the smartphone vendor (Samsung, Huawei etc.) and hell knows how many others.

I of course don't have an irrefutable proof but judging by circumstantial evidence, news and PR, it's the best conclusion I can reach for now.

But I'm pretty sure my iPhone is spying on me anyway.


This is one of the reasons I'm considering switching to iPhone for my next phone, FWIW.


I’m on iPhone for a daily driver for similar reasons but considering switching to a Galaxy S9 running Lineage (to better boycott China), FWIW.


You might be better served by a Xiaomi phone. They have a very active dev community and apps and ADB tweaks that boycott the private data telemetry to China and Google are introduced and updated regularly. Or at least they were last I checked a year ago. :D


I’m particularly interested in boycotting Chinese made products to the best of my ability. That’s why I’m trying to switch off iPhone. I don’t see how a phone designed and produced in China would serve that goal.


I understand. I am simply pointing out an option for the price-sensitive folk who also don't mind going the extra mile to fight for their privacy and reduce tracking.

I personally prefer my iPhone.


> I'm not happy that I don't have the option of a hardware switch to disable the cameras and mics on a phone

Librem 5 is the phone you're looking for. Or a Pine Phone.


I've looked into Librem phones from time to time over the years and every time I check the phones are unavailable, usually back-ordered. I'm sure they've managed to ship something at some point but I haven't seen anyone IRL who has one. Pine seems to be about the same (maybe available next year although even then you'll likely be using an OS that's in beta). Not encouraging.

As much as I'd love to support these kinds of products they just don't seem ready.


People just started receiving their librem 5 phones.

I think the early pinephones are shipping too or very close to it


> but I haven't seen anyone IRL who has one

https://news.ycombinator.com/item?id=21696130


If you prefer a bit of OS polish while Librem improves, why not using AOSP on a Pixel or Xperia device?


It'll be some time before I replace my current device, but once I do I'll be looking for something that supports LineageOS or Replicant although that'd still leave the hardware suspect.


You can't really say it's a phone when phone calls are broken.


The mute switch on Amazon's Alexa hardware is supposed to be a hardware switch.

Once that's pressed the microphones are physically disconnected. The devices light up red to indicate this. (Not sure if all the more recent Alexa products still have this though)


I just learned about the mute switch yesterday. It's nice that they have one, but keeping your smart speaker mic off 100% of the time severely limits it's usefulness where as you can disable the smart assistant on your phone and still have a perfectly functional phone.


Do you have a reference of a case where this was violated? I had thought that Apple at least actually had real hardware paths to monitor webcam activity, unless the hardware was physically compromised.


Close; there's a precedent for it having been subverted via firmware compromise:

https://www.usenix.org/system/files/conference/usenixsecurit...


No, the Mac cam light is software activated.


Just read that there have been updates since this time:

https://daringfireball.net/2019/02/on_covering_webcams

> Here’s an answer I received from a former engineer at Apple who was intimately familiar with the software drivers for Mac webcams: "All cameras after that one were different: The hardware team tied the LED to a hardware signal from the sensor: If the (I believe) vertical sync was active, the LED would light up. There is NO firmware control to disable/enable the LED. The actual firmware is indeed flashable, but the part is not a generic part and there are mechanisms in place to verify the image being flashed. […]"


(“That one” being the MacBook comprised in the “iSeeYou” paper.)


It’s been hardwired for quite some time. There is still firmware on the sensor controller but it’s signed and verified now so you can’t just flash whatever you want to it.


True, although that software now runs on an specialized secure coprocessor


I think you're giving them just a little too much credit for implementing, essentially, a product that works as expected.

And the reason for that is partly because so many companies make products that don't work as expected. Or worse they make products intentionally designed to mislead users, most of whom have very little understanding of what their device is actually telling them.

More importantly, the super-users like yourself who know when they're being deceived by symbology in UI design don't get up in the companies face when you DO discover "hey, this symbology is misleading!" Granted, companies are intentionally vague when documenting such features so that you'll essentially shame yourself into not asking "what does this little symbol actually mean?"


When confidence that anybody else's products work 'as expected' is essentially zero, and doing the right thing comes at a significant extra cost, I think this is reasonable.


> The Location Services icon really does flash when anything uses Location Services, apparently.

That's not necessarily true, though.

It's just as likely the developer who implemented the feature forgot to set the "flashIcon = false" parameter in some low level API and nobody noticed. Without access to the source code we're just taking Apple's word for it.


[flagged]


"Nature abhors a vacuum". Apple created that vacuum. Perhaps they should err in favor of transparency for the people who are paying their bills ... but it's consistent with having chosen the dark path for the Macintosh, long ago.


You're treating this as evidence the location services indicator can't possibly be inhibited currently, laughable.


No, they're saying that this is evidence that it is currently not inhibited, and even called out that this may not always be the case.


Except it's not evidence of that at all. It's only evidence that this particular location services user didn't attempt to inhibit the indicator.

There can just as well be existing location services users, currently using location services without your knowledge, when you're relying on a flashing widget on the screen as your source of truth.


Evidence, not proof.


This brings up an issue I wish iOS and Android would solve. Location data is always very specific, as accurate as GPS or Cellular triangulation can offer (down to the centimeter in some cases). However the vast majority of use-cases don't need this level of precision. Maybe Maps for accurate directions require this, but rarely anything else. In this case the OS simply needs to know what country you are in, not what street corner you are on.

Why can't apps request less precise location data, and maybe let the user choose this? Another common example is Twitter, Facebook, Instagram, and even dating apps, don't need to know your location with precision, they usually just want the city or zip code with relative accuracy. My Weather app doesn't need to know what rock I'm standing next to for accurate forecasting.


iOS apps definitely do have this granular option. It's been around since iOS 2 SDK.

https://developer.apple.com/documentation/corelocation/clloc...


Very interesting. But when an app requests location permissions, it's still the same message right?

There's no way of knowing whether the app will be using your exact location, or just the city you're in?


Correct. Room for improvement would be giving users the option to see this and select/approve it.


I'd also want the option to choose any location as the location my phone sends to that app. I'd give each app a different city near me (when precision isn't that important) just to add more noise to my precise location.


As someone who jealously guards their personal data, I agree with you.

As a product manager/designer, I think that would end in disaster for any consumer-facing company that implemented it. The number of people who would enter random places, forget they did so, and then complain that their phone is broken or the app doesn't work would be staggering.


Android has supported this for ages, just not customized per app. they put it under dev options, i guesd to mitigate the demented user problem.


Windows 10 makes this distinction. It's a logical one, for sure.


Correct, and you can't restrict permissions either. If an app requests precise location, you should have the option to say "no thanks, you're getting the center of my postal code instead".


In the Netherlands your postal code is enough to narrow you down to a specific street. Not everything works like it does in the US.


It's not how it always works in the US either -- in Manhattan, certain postal codes can narrow you down to a single building ;)


That's missing the point. It can be a postal code, or a random point within a 10 mile radius, or something else.


I'd really appreciate more options like this - allowing you to spoof details.

At present, even though you have to approve permissions, I take it it's sufficiently rare for people to refuse them that app developers don't feel the need to rein themselves in, just based on the number of permissions still requested for very basic apps.

Allowing granular refusal was a step in the right direction, but plenty of apps still refuse to work unless granted permissions they don't need. Spoofing would be much better.


Does Apple enforce this when app is submitted to the App store for review? For example, weather app doesn't need the precise location


I wish we could do this on web, and see what location data we were going to send if we granted the permission.


Yeah I have wanted this option since the beginning. Precise location, no, but want to provide just my zip code or city or state? Maybe I'll actually say yes.


In that case it should inform the user about the accuracy of the location request.


This has been possible on Android since launch. https://developer.android.com/reference/android/Manifest.per...


I don't think Apple are requesting a lot of information as this article suggests right? It's just clearing the air as to why it needs to check for location when all manual toggles are switched off.

Even if it only asked for the country, the location icon would still appear.

How do you know that applications are requesting for more location data that others, just curious?


The apps can request less precise location data.

up to three km https://developer.apple.com/documentation/corelocation/clloc...


But if you're spying on the users of your app why would you limit the value of the data you're collecting? It'd be better to put that in the control of the user being exploited and not the app doing the spying


Applications that don’t need accurate location benefit by getting faster results and less battery drain (if the system last got a location 5 minutes ago it’s safe to say you are in the same city, so you can just get a cached result). It’s not really there for privacy, since even the city you are in is a lot of data to go on privacy-wise.


Sadly, I don’t think most applications care much about limiting battery drain…


Is the location randomised? Over lots of data points, your precise location could still be pinpointed, I'd imagine.


> My Weather app doesn't need to know what rock I'm standing next to for accurate forecasting.

Zip code is plenty, but they all seem to think they need gps.


...y'know what I find particularly nuts about this whole thing? That we only know about it because of that location icon in the status bar. Apple could have chosen to hide that icon for certain types of requests, and this story wouldn't exist.

I really hope that after this update is released, someone with checkm8 goes and checks what has actually changed. Not because I distrust Apple per se, but because we shouldn't be making discoveries based on a cosmetic icon.

Also, thank god for checkm8.

Edit: donkeyd, below, reminded me that this behavior is only on the iPhone 11, which isn't vulnerable to checkm8. Sigh...


> ...y'know what I find particularly nuts about this whole thing? That we only know about it because of that location icon in the status bar

It seems to me like discovering this from that status bar icon is a _good_ thing. It gives me more faith that the system isn't hiding particular types of calls from the user; that it's tying the system call to the icon being present.


Oh, the fact that researchers did find this absolutely speaks well of Apple! Although, there's a sort of confirmation bias here—if there's some other situation where requests go out and the icon never appears, we wouldn't know about it.


Yes and no. One of the results of iPhone 4's "antennagate" is that Apple changed the way the phone signal is displayed. They changed the algorithm, and made the signal bars more prominent in low signal situations [1]

I'm not suggesting they will change its behavior, but it wouldn't be unprecedented if they did.

EDIT: Changed the video start time to specific reference.

[1] https://youtu.be/b9eXYOA8TCk?t=672


That was the first time I actually watched that conference.

Steve Jobs presents a convincing case. It's now clear to me that the media hyped up a non-issue, or at least one that was ubiquitous across the state of the art at the time. And Apple's response is perfectly reasonable.

What exactly is your problem with his explanation of the changes?


I have no problem or strong opinion regarding iPhone 4's antenna debacle, I'm only referencing what has happened in the past about issues hyped by the media, and how Apple has handled them.

iPhone 4/4s remain my favorite iPhone generations to date.


Isn't that because previously it was just a measure of signal strength and wasn't a good measure of data quality / latency / bandwidth? A proper signal meter takes both strength and noise into account.


Where exactly in that 27 minutes long video are we supposed to be looking?


Just out of curiosity, how would you recommend that they do this without affecting the experience for the majority of people using their devices that, frankly, don't care?

How else should we be discovering this as opposed to the icon? I feel like a prompt or something to allow this for something that happens so frequently is just going to get UAC'd.


The majority of people aren’t going to ask all their apps and services to stop tracking them. This is for the minority of users who might be being tracked by an abusive ex, or an employee at a big company who wants temporary privacy to do a job interview at another company without it getting flagged by HR. If the data is being collected, we have seen in the press that the odds are high that it is being monetized/sold.


This is talking about wideband location scanning, not location services for an app. Apple's location services already do allow you to turn them off on a per-app basis.


Delusional.

Who cares if your Apple device constrains location information when, stochastically speaking, other devices within your proximity won't.

This has been meta for a long time: WiFi, Bluetooth, cell towers, TPMS, just to name a few common mappings. UWB is yet another PHY contributing to the datapool.


With Apple devices, at least, the location of said devices is never reported to anyone other than the device owner. Apple uses anonymous Mac addresses that are mapped on device to do their triangulation and they don't identify to other devices. Even if another devices were keeping a list of every device that attempted to connect to it, it would never get the same value twice nor would it get an accurate address so it would be functionally useless to anyone trying to collect it using that info.


Security researchers should be able to gain fully privileged access to their devices, via a process that is well-hidden from the average user.

I hope those special iPhones for security researchers come out soon.


Did you just say secret backdoor or secret root account for research purposes?


Sorry, that's definitely not what I meant!

I would like there to be a process similar to disabling System Integrity Protection on macOS, which requires booting into recovery mode. From there you can gain kernel access and inspect whatever processes you want.

It won't happen, and I consider it a major problem with iOS.


I also feel like iOS should have such a mode, but I also imagine that if it existed there would be a million pages saying, "Hey kids, want to install this cracked game? It's easy, first get your dad's iPhone and turn off system integrity protection…" It already happens with enterprise certs.


Well for that specific case, you'd need your Dad's passcode to install the enterprise cert. But "Facebook Research" is a thing that happened.

I think there's more that could be done to make the process unappealing. What if the setting erased all data on the phone, a la unlocking the bootloader on Android? What if there was a one-week time delay before the setting took effect? What if you had to visit an Apple Store?

(I don't like that last option, because it makes research inaccessible to e.g. people in countries without Apple Stores. But it would be better than what we have now.)


Facebook and Google literally targeted kids to install enterprise profiles so they could VPN and spy on all their traffic.


This is news to me. Mind sharing a link?



> I would like there to be a process similar to disabling System Integrity Protection on macOS, which requires booting into recovery mode. From there you can gain kernel access and inspect whatever processes you want.

The biggest concern I'd have with this would be that it would almost certainly be abused to install undetectable surveillance software on devices, e.g. by a partner in an abusive relationship, or by overbearing parents on a child's device.


When you unlock the bootloader of an Android phone, Android (A) deletes all existing data on the device and (B) adds a big, red warning message to the startup screen. They're simple mitigations, but I have trouble imagining how someone in e.g. an abusive relationship wouldn't notice these changes.

Is it perfect? No, but everything in life is a tradeoff. And not being able to study our own devices is a big problem too.


That can be dealt with though. Could be like Safe Mode in Windows was/ used to be, where your wallpaper gets replaced by text saying you're in unprotected mode.


That could easily be disabled, though. The whole point of this mode is to allow users to tamper with the device, after all; it would be difficult to stop users from tampering with code which checked whether the device was in that mode.


I’d imagine maybe a special mode in Xcode where you could connect via USB and get extra debugging.


Then Cellebrite would spoof that.


The way this is done currently is in hardware. Manufacture of these devices is extremely restricted. It is unlikely that Apple will ever give these devices to non-Apple employees.


Except they literally announced they would.

https://www.wired.com/story/apple-hacker-iphone-bug-bounty-m...


AFAIK, iPhone 11 isn't vulnerable to checkm8, so I don't think it's useful in this case.


Oh, that's right, this is iPhone 11 only. :/


Not at all, iPhones are physical devices that obey the laws of physics(Apple would claim that they are magical but in reality, they are electronic devices).

This means you can analyze these devices and deduct the way they are working.

Having access to the system or the source code can make things easier but not having those doesn't mean you can't look for shenanigans.


It does make it much harder though and you can hide shenanigans in encrypted communications during seemingly benign situations where use of location data is expected.


Sure, the more access you have the easier it gets, but even if you have full source code access and full hardware access it doesn't guarantee anything. There was a very serious security bug in OpenSSL that went unnoticed for a year(Heartbleed). If the attacker is sophisticated enough, they can introduce complex bugs that are very hard to reason from the source code and maintain plausible deniability.


You don’t need a jailbreak to verify that this is fixed, fortunately.


How would you verify the fix without a Jailbreak? All I can think of is continuing to rely on that stupid icon. I think I trust Apple to not just hide the icon and call it a day, but I find it quite disconcerting to think that if they did, we’d probably never know.


You could pull the binary from the OS and reverse it.


Reading location via GPS is passive with no outbound data transmission. As Apple explained, in line with the Apple engineer's prior response, there is a reason why this is not a privacy leak. It does not transmit the geo data off of the device at all. If they were transmitting it, people would see the data packets and want to know what it is.


I'm surprised there aren't hackers out there that have created a cell phone tower in a box to obtain all outbound traffic from a device and reverse engineered all the comms chatter to be 100% sure what's going on with phones.

Given that these devices exist and are in use by law enforcement to catch criminals, we know this is feasible.


Myself and my colleagues do exactly this every day.

Relevant to current story: https://twitter.com/chronic/status/1202386593387966464

I am sure many companies in the information security field are doing the same.

It would be nice if there was a simple way to allow anyone with a phone to easily analyze all of their own traffic.


and yet, this is OS 11 with no signs of camera and microphone access icon (we never know if a certain social media co is using our live camera in the background). Just saying that there is a lot of optics related to phone 'privacy'


As I mentioned on the previous story about this, my phone checking where it is doesn't bother me. My phone sharing my location without me knowing does bother me.

I'm far more bothered by the fact that my Roomba requests location data than I am this. Seriously Roomba, WTF.


Roomba's trying to get out of your house. Roomba wants to be a free vacuum cleaner.


Sometimes checking is sharing.

I think there are ways to design APIs to be more private, but noone seems to do it.

For instance, one way to figure out your time zone is to send your location to a server, which will return the time zone.

Another more private way might be to load a list of location vs timezones for a region of the US, then calculate your timezone locally.


I implemented something like this a couple years ago and the geometry files used for timezone lookup were surprisingly large (~200 MB at decent precision)! I ended up simplifying the geometries drastically to minimize data requirements and compute burden of the lookups, but if you need higher precision, server reverse geocoding may be your only option in constrained environments.


On the other hand, with my example the timezone data can be stored and used locally until you leave the region.


That's such an excellent point!

Why do you think companies are not defaulting to this behavior? it feels like the right time to be working on closed-circuit software solutions as an alternative measure.


On iOS, there is no way to do this. Every location request will ultimately send your location to Apple.


No: you can get location from GPS entirely on-device.


I never claimed you couldn't. I said that if you get your GPS location, iOS will send it to Apple, and there is nothing you can do to stop it.

"By enabling Location Services for your devices, you agree and consent to the transmission, collection, maintenance, processing, and use of your location data and location search queries by Apple and its partners and licensees to provide and improve location-based and road traffic-based products and services."

It will also send your location to Apple when no app is requesting your location:

"If Location Services is on, your iPhone will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations."

Unlike on Android, you cannot get your location without sending this data to Apple:

"To use features such as these, you must enable Location Services on your iPhone"

https://support.apple.com/en-us/HT207056


> I said that if you get your GPS location, iOS will send it to Apple, and there is nothing you can do to stop it.

Turn off networking. You can still get your location via GPS, but there is no way to send this back to Apple.

> By enabling Location Services for your devices

You seem to be confusing Location Services with location data. Location Services are the value adds mentioned in the support article, from which it's clear that they largely require sending your location to work.


> Turn off networking. You can still get your location via GPS, but there is no way to send this back to Apple.

Technically true, but this makes your iPhone a dumber dumb phone than it already is, and I doubt anybody would seriously use this mitigation.

> You seem to be confusing Location Services with location data.

You cannot get location data without enabling Location Services.

"Location Services allows Apple and third-party apps and websites to gather and use information based on the current location of your iPhone or Apple Watch to provide a variety of location-based services. For example, an app might use your location data and location search query to help you find nearby coffee shops or theaters, or your device may set its time zone automatically based on your current location."


> Technically true, but…I doubt anybody would seriously use this mitigation.

People don't usually do this purposefully as a "mitigation", yes; however it is still a useful feature to have when dealing with poor connectivity. But more on topic, you seem to be talking about Android somehow doing something else? Is there a way that Android lets you get location services (see below) without sending your location to Google?

> this makes your iPhone a dumber dumb phone than it already is

If you're going to argue, please do so with at least the barest hint of good faith please.

> You cannot get location data without enabling Location Services.

You can get basic location data by turning on your GPS and making a couple of CoreLocation calls. You can get additional location information by sending this location (or a location query) to Apple to get some additional information about it, as mentioned in the quote you shared. In any case, we both know exactly what information we're talking about: you can figure out where you are without talking to Apple, and if you want to know about restaurants or turn off the sprinklers when you get to work then you're going to have to go through them. Whatever you choose to call it is not relevant.


> You can get basic location data by turning on your GPS and making a couple of CoreLocation calls

You can't without enabling Location Services. If you could, that would be a huge security hole because users can only disable Location Services and not CoreLocation.

https://support.apple.com/en-us/HT207092

> however it is still a useful feature to have when dealing with poor connectivity.

In order to not send your location to Apple, you have to leave the network off. The location will be stored on the device and synced to Apple later if not. Nobody is going to do that just to not send their location to Apple. They'll get a phone that they are in control of instead.

> Is there a way that Android lets you get location services (see below) without sending your location to Google?

Yes. Just request location permission and use the location API. If you want AGPS functionality, you still have to request the location permission, but you need to call a Google API (or an Amazon API on Amazon devices, etc.).

> If you're going to argue, please do so with at least the barest hint of good faith please.

I'm just pointing out how ridiculous your mitigation is using an equally ridiculous description.


> You can't without enabling Location Services. If you could, that would be a huge security hole because users can only disable Location Services and not CoreLocation.

You are right. I was looking in the disassembly of CoreLocation and misread where the controls for this were (and what they were named in the UI)–see below. Sorry about that.

> In order to not send your location to Apple, you have to leave the network off.

There's a bunch of toggles to switch off sending location data to Apple, specifically, in the Location Services settings page. So you can have Location Services on but not send anything to Apple, unless the app does so itself.

> The location will be stored on the device and synced to Apple later if not.

From the code, it seemed like this was for syncing frequent locations (which is end-to-end encrypted).

> They'll get a phone that they are in control of instead.

I am assuming you're claiming this is an Android device?

> I'm just pointing out how ridiculous your mitigation is using an equally ridiculous description.

You're really not; you're coming in, whether you're serious or not, with the argument that iPhones are "dumb", which is not useful or even related to the point. Countering my "ridiculous mitigation" (which I have not even described as a mitigation, mind you; I was just pointing out that you can get data from GPS without sending anything to Apple; if anything the "mitigation" I will point you to now is the set of switches that I mentioned before) with another one just does not help keep this conversation on track. It's quite literally flamebait.


> So you can have Location Services on but not send anything to Apple, unless the app does so itself.

There is no such setting. https://hifutureself.com/ios-location-system-services-settin...

It is not enough to disable Location Services for Apple apps. If any app requests location, even non-Apple apps, your location will be sent to Apple, as I showed above.

> I am assuming you're claiming this is an Android device?

You can use them without sending data anywhere you don't want.

> iPhones are "dumb",

I was very clearly riffing off the term "smartphone." A phone that has network disabled as you suggested cannot be called smart. What's the opposite of smart?


that doesn't mean that apple doesn't cache your location, or build up a list of location-to-wifi-access-points for their crowdsourced wifi location database.


> Seriously Roomba, WTF.

Isn't this a long-standing issue where Bluetooth access falls under the "location services" category because one can use the Bluetooth hardware to guess your location based on known beacons?


This is because Apple is silently building a survailance network for lost devices, the UWB chip in the iPhone 11 is also in the Airpods Pro and will be on all future Apple things. Say I leave my Airpods pro in the conference room of an office I was at earlier for a job interview... with Apple's UWB magic, any iPhone 11 can be used to find my airpods, not just mine... This is for locational discovery of all future apple devices, this mesh network allows someone to use your device as the exit to apples location servers.


How do we not know that they would only allow discovery of devices linked to your Apple account?


If you read the white paper it makes it clear that location information isn't limited by policy (permissions, etc), but rather by actual cryptographic techniques that need your devices to access. It is designed so that you can always have find my X working without simultaneously requiring your (unencrypted) location being sent to apple.


The only way we will know that those claims are remotely true is if they release spice code. Until then, how can we know?


I mean if you're unwilling to accept a published document from them, then you can't accept any claims by any company. Including Google + Android.

At least, unlike android, iOS indicated that the location system was being used.


Android shows this. Not sure why Android is relevant in this thread, seems like a pivot


The description of the system so far has detailed that only you and one of your other devices can discover where your lost device is, and no one else.


I never get why cell phones don’t have the indicator light that tells you the camera is on. Ideally this light would be physically linked to the power going to the camera and the light would be impossible to disable without physically altering the device. I’d like the same for the microphone. I think location based stuff is a little more instantaneous in turn harder to accomplish but generally speaking more indicators that cannot be disabled with software tightly coupled with sensors potentially violating our privacy.


> I never get why cell phones don’t have the indicator light that tells you the camera is on.

Reduces BOM, manufacturing cost, board space needed, and battery drain to exclude it.

LEDs on phones were all the rage (at least one Blackberry model had an LED accessible by apps IIRC) until Apple took the market by storm and then everyone started copying their aesthetic.

> Ideally this light would be physically linked to the power going to the camera and the light would be impossible to disable without physically altering the device.

There's no way for you to verify unless you built the camera yourself or can remove the camera.


Many phones have LEDs but do not have software support for it. Sometimes it goes a long time before someone recognizes that a LED hides in the speaker grill and then boom, someone writes an app to enable it. The manufacturer was contempt with adding a LED to a device and not caring if it ever was used. Cost was not part of it.

Even google, on it's nexus 5, had a LED. A prominent RGB LED that could do everything you ever wanted. Well, unless you relied on google for the software which if possible made it worse than if it hadn't existed.

Then you open up the phone to replace the dying battery. And behold, multiple SMA type connectors for external antennas(?) One wonders if a single person on earth found a use for them. Cost optimization don't seem to be that important.

Now for the camera LED I don't think phone manufacturers want to even admit that it is something anyone should be worried about. So their strategy is likely to pretend that there doesn't even exist any issues to worry about. Probably works out pretty well for them.


iFixit can disassemble one and check with a scope.


I have that feature on the OnePlus 7 Pro. Thanks, pop-up cameras!


The microphone isn't powered, so there's no way to do something as direct as you're asking for. A light indicating that it's "listening" would necessarily have to be controlled by software at some level.


It turns out the microphone modules used in smartphones have integrated preamp and ADC circuitry which needs to be powered.

This makes a lot of sense as mobile phones are an extremely hostile RF environment. If it were any other way, the phone's sound inputs would be flooded with that iconic "cell phone interference" sound.

Old but still interesting:

https://www.ifixit.com/Teardown/iPhone+4+Microphone+Teardown...


Fact: All software is constrained by hardware. Period.

What you describe as "no way" is a 2-second napkin sketch for any witting electronics hobbyist, let alone a proper design EE professional.


Exactly! Set up those constraints such that a light hard wired into the power for a sensor such that if the sensor has power, the light has power too.


It is astonishing to me, that one of the best known IT security researchers has to rely on a flashing icon to determine if location services were used or not.

Apple could easily disable said icon in certain cases. This begs the question: Isn‘t there a more reliable way to determine if an iPhone uses location services and maybe even say for sure for what they are used?


Absolutely. You can reverse engineer components of iOS to find this out, and analyze outgoing network traffic as a quick way to see what data is going out to remote servers.

The icon, in this case, was a helpful indicator allowing others to easily reproduce this test in minutes.


"The management of Ultrawide Band compliance and its use of location data is done entirely on the device and Apple is not collecting user location data."

Call me paranoid, but this statement is telling us that:

"The management of UWB compliance and the management of its use of location data is done on the device" -- which okays that the data can be used outside the device, only the management needs to be done on the inside,

"Apple is not collecting user location data." -- which could mean that some other parties (not Apple) _could_ collect user location data.


The thing that I find amusing is that we are talking about an implementation of Google's own White Spaces initiative that is working as intended.

To use the same frequency band allocated to uses like television and radio broadcasting without interference, you need a way to know which frequencies are already in use by the local stations at your location.

>So-called "white space" frequencies have considerable benefits when compared to traditional Wi-Fi signals, and now Google has created an API to make the process of utilizing them easier. Companies using the Spectrum Database API will be able to search for frequencies unoccupied by TV or radio signals in specific areas of the United States, and register equipment that uses those frequencies to broadcast wireless internet.

Google has championed unlicensed TV white space (TVWS) over the last few years. The FCC approved the use of Google's TVWS database in June, after tests began in March.

https://www.theverge.com/2013/11/15/5106218/google-database-...

Apple appears to be doing nothing more than querying a local copy of the database to look up which frequencies must be avoided at the current location.

All the Android phones that adopt ultra wideband technology will have to do the same thing.


UWB is not White Spaces.

White Spaces was a plan to make frequencies once allocated to analog TV broadcasters unlicensed (similar to the existing ISM bands). This would give things like WiFi access points more spectrum to use, without fundamentally changing how the protocols worked. (Same signal, different RF frontend for the new frequencies.)

UWB is a very low-power spread-spectrum technique. It decreases power and increases the bandwidth used to achieve a usable channel capacity. The idea is that the power is so low that it won't interfere with licensed users, even though it's using licensed frequencies. The downside is that it's a lot more complicated and requires new hardware and electronics techniques to implement. (I assume the reason it's disabled in some regions is because they haven't convinced the relevant authorities that it doesn't actually interfere with licensed users while using their spectrum.)


The previous related thread: https://news.ycombinator.com/item?id=21699576


This is simply a case of a new system service of which there are many: Location, Photos, Calendar, etc. and now, Ultra Wideband (UWB), being rolled out without being tied into the existing permission model.

https://developer.apple.com/design/human-interface-guideline...


If Apple introduces tile like competitor, would it lower the threshold for creepy and stalky folks to track others? Would it be as easy and slipping in a Apple Tile and its location be crowdsourced back to Apple and therefore to the stalker?


You don't even know to go that far if apple's aspirations for devices helping you locate your things goes to fruition- "accidentally" slip your airpods into someone else's bag and apple will helpfully locate it for you until your airpod's case goes out of power

There are going to be a lot of issues if apple just lets you track things at range


Yep, it’s a beta called B389


Technically, that is the hardware product codenames (Closely tracking with AirPods it seems, B188 and B288)


This is actually awesome. If Apple wanted they could have made the indicator not show up at all when that feature uses location. This means they are staying true to the promise.


Location-check icon still appears on iPhone 11 when Airdrop is disabled via Apple Configurator policy and location permission denied for all Apple system services.

Is UWB used for features other than Airdrop? Location reporting of nearby tags/devices?

One avenue of investigation would be to capture all iPhone 11 traffic via VPN (e.g. Charles Proxy) and correlate network traffic with appearance of the location indicator.


This test would not yield a useful result in this particular case, as the data is processed locally on-device and is not sent to a remote server.


[flagged]


As far as I can tell it comes down to their perception as a status symbol and/or buy-in to the apple ecosystem. When you're using apple everything an iphone might make sense.


in other words: "yes we can have your location at any time, and we are not collecting the data, I promise!"


Turning off Location Services completely still turns this off. There is just no specific switch to turn only this off (so if you turn off all the other specific switches, this stays on).


I seem to have missed something:

Apple claims Location Services cannot be disabled because it is needed for Ultrawide Band (UWB) compliance.

And what about UWB? It cannot be disabled either? Do you have a say if someone wants to send you a file 'simply by pointing at your iPhone'?


Airdrop is not a new feature. You can whitelist people that can use it on you.


It seems that the answer raises even more of an eyebrow than the original question... why is UWB active in devices if no end-user application can yet benefit from it?


AirDrop already benefits from it.


Does iOS still make location requests when AirDrop is turned off?



Because AirDrop is using it?


“Ultra Wideband technology is an industry standard technology and is subject to international regulatory requirements that require it to be turned off in certain locations,” the statement continues. “iOS uses Location Services to help determine if iPhone is in these prohibited locations in order to disable Ultra Wideband and comply with regulations. The management of Ultrawide Band compliance and its use of location data is done entirely on the device and Apple is not collecting user location data.”

Ridiculous. The phone always knows very well what country and what regulatory region it's operating in. Otherwise, how could it know what cellular bands to use?


> Otherwise, how could it know what cellular bands to use?

By passively listening for what bands are being broadcast on? I mean, dumb phones without any kind of location support whatsoever could do that, without determining what regulatory region they are in.


By passively listening for what bands are being broadcast on?

Exactly, that's my whole point. Obviously I didn't make it clearly enough.

Are you in the 0.0001% of the planet's populated area where the local cell network doesn't tell you roughly where you are? Fine, then turn on location services. That's almost never going to be the case.


I think it's a bit more nuanced than being at the country level.

For instance -

https://support.apple.com/en-ca/guide/iphone/iph771fd0aad/io...

"Australia: Ultra Wideband transmitters must not be operated within a nominated distance from specified Australian radio-astronomy sites."

Further, your phone certainly doesn't have to know where it is to figure out what cellular bands to use, but instead that's based upon the SIM and cell provider settings.


a) Not all of the bands enabled by the phone's SIM are usable in all locations. Because this information is transmitted by the cell site, the phone does not have to enable location services. It knows where it is and what frequencies it can use, trust me.

b) There are other locations where the entire phone isn't allowed to be turned on (the NRAO quiet zone near Green Bank comes to mind, unless this has changed recently.)

So, no. This is not a valid excuse.


The only way to ensure location privacy is to interfere with GPS. When you wish to use the location feature, turn off the GPS interference. As such technique is pretty esoteric, it's unlikely Apple will develop counter techniques until it becomes more popular.

As has been mentioned before, relying on some icon on your screen is rather naive unless Apple has provided some legal assurance that we can.

It would be a good question to pose to Apple - can the icon be overridden to not be shown or shown so quickly that it is effectively invisible?




Applications are open for YC Winter 2021

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: