Was a Popular Brazilian Food Delivery App Bypassing Apple’s Location Privacy Settings on iOS?

Rodrigo Ghedin:

iFood, Brazilian largest food delivering app evaluated at USD 5.4 billion, was accessing his location when not open/in use, bypassing an iOS setting that restrict an app’s access to certain phone’s features. Even when the reader completely denied location access to it, iFood’s app continued to access his phone’s location.

We got intrigued: how was iFood getting away with this?

An educated guess was revealed by iOS 16.3 release notes, launched on January 23th. Apple mentions a security issue in Maps in that “an app may be able to bypass Privacy preferences”. It’s CVE-2023-23503, submitted by an anonymous researcher and, so far, “reserved” in CVE’s system — which means details are pending to be published.

Via Dan Goodin, who asks:

I wonder how long this vulnerability was in effect. There may have been massive amounts of location data that was collected without users suspecting a thing.

If the iFood app was really doing this, why is it still in the App Store? If circumventing location privacy by exploiting a bug doesn’t get you kicked out of the store, what does? My hope would be that iFood wasn’t doing this maliciously. But if they were, that should be a one-strike-and-you’re-out violation.

Tuesday, 31 January 2023