iFood, Brazilian largest food delivering app evaluated at USD
5.4 billion, was accessing his location when not open/in use,
bypassing an iOS setting that restrict an app’s access to certain
phone’s features. Even when the reader completely denied location
access to it, iFood’s app continued to access his phone’s
We got intrigued: how was iFood getting away with this?
An educated guess was revealed by iOS 16.3 release notes,
launched on January 23th. Apple mentions a security issue in Maps
in that “an app may be able to bypass Privacy preferences”. It’s
CVE-2023-23503, submitted by an anonymous researcher and, so
far, “reserved” in CVE’s system — which means details are pending
to be published.