A report on Tuesday suggests Apple's iPhone 11 Pro, and potentially iPhone 11 models, continuously collect and transmit location data when user-selectable location services settings are disabled, behavior that could pose a potential security risk.
Outlined by security journalist Brian Krebs, iPhone 11 Pro appears to periodically ping its GPS module to gather location data in the face of user wishes.
Krebs demonstrated the activity in a video captured on an 11 Pro running Apple's latest iOS 13.2.3 software, which continues to collect GPS data for certain apps and system services despite manual disablement of individual Location Services in iPhone Settings. Interestingly, iPhone 11 Pro seeks GPS data even when an app's Location Services switch is set to "never" request said information.
Apple in a privacy policy available for perusal in iPhone's Location Services settings screen says the handset "will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers (where supported by a device) in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations." The company states location-based system services can be disabled individually in Settings, but Krebs found iPhone or iOS makes exceptions for certain services.
"But apparently there are some system services on this model (and possibly other iPhone 11 models) which request location data and cannot be disabled by users without completely turning off location services, as the arrow icon still appears periodically even after individually disabling all system services that use location," Krebs explains.
As evidenced in the short clip, Apple's iOS location services indicator, a small arrow icon that denotes recent or current use of GPS data, appears next to apps and services that have been manually disabled in Settings.
In iOS, users can enable and disable system location services through a user interface provided in the Privacy > Location Services section of the Settings app. The management apparatus is highly granular and offers control over first- and third-party apps, basic iOS services and other Apple features. These tools were bolstered in iOS 13, which greatly enhances user control over data sharing features and reduces the possibility of inadvertent location tracking features.
Previously, third-party apps could request persistent device location data upon initial setup, but iOS 13 removes that ability. Further, when always-on tracking is manually enabled in the Settings menu, a pop-up window periodically appears to remind users of the configuration and provides an option to turn it off.
Apple does not apply those same restrictions to its own apps, but does inform iPhone owners of its location services practices in software user agreements.
Krebs was unable to replicate the potential security issue on an iPhone 8. Whether Apple's iPhone 11 operates in an identical manner is unknown.
When contacted about the possible bug that seemingly contravenes its own privacy policy, Apple said the behavior was expected.
"We do not see any actual security implications," an Apple engineer said. "It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled. The icon appears for system services that do not have a switch in Settings."
Krebs believes the curious activity might be related to new iPhone hardware introduced to support Wi-Fi 6, but that theory remains unconfirmed.
For now, the only surefire way to avoid intermittent GPS pings on iPhone 11 Pro is to completely disable Location Services in Settings. Doing so, however, renders many iPhone features useless.