Respected security researcher Brian Krebs has discovered that the iPhone 11 Pro (and potentially other iPhone models) is still collecting location data even when users tell it not to. Specifically, Krebs found that even when all location service switches were set to “off” in iOS’s system settings, the iPhone 11 Pro was still indicating that it was accessing the phone’s location.
This was evident by iOS’s location warning that appears in the iPhone’s menu bar. A little arrowhead will show up whenever an app or system service is accessing location data. But as Krebs reports, given that he shut off all location access, this arrow should not have appeared. Krebs contacted Apple on November 13 about the vulnerability and Apple replied this week—but said it wasn’t a vulnerability at all. According to an Apple engineer that contacted him:
We do not see any actual security implications. It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled. The icon appears for system services that do not have a switch in Settings.
As Krebs points out, that last line is a bit unnerving. It states, “The icon appears for system services that do not have a switch in Settings.” However, the way iOS’s location and privacy settings are set up, it’s easy to assume a user has complete control over all location data access. But the Apple engineer’s answer seems to imply there are location services that Apple doesn’t advertise—and that it doesn’t give users control over.
You can check out Kreb demoing his discovery in the video below.