Apple Confirms iPhone 11 Pro Collects Location Data Even with Location Services Disabled

iPhone 11 Pro IP68 certification

A security researcher has discovered that the iPhone 11 Pro intermittently collects location data even when location services are disabled on the device. Apple has confirmed to the researcher that this is expected behavior which is a bit puzzling.

Apple explains in its privacy policy that your iPhone will periodically send geo-tagged locations of nearby Wi-Fi hotspots in an encrypted and anonymous manner to it. This data is used by Apple for creating a crowd-sourced database of Wi-Fi hotspots and cellular towers.

However, if a user wishes to, they can disable location services from Settings > Privacy > Location Services. But then Apple goes ahead and contradicts its own privacy policy on the iPhone 11 Pro by periodically getting it to send geo-tagged locations even with location services disabled. The behavior is found even on the latest iOS 13.2.3 release.

“We do not see any actual security implications,” an Apple engineer wrote in a response to KrebsOnSecurity. “It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled. The icon appears for system services that do not have a switch in Settings.”

Apple’s response basically means that there are certain system services or parts that will access a user’s location from time to time even if location services are disabled. All location data sent to Apple is anonymized so it does not pose a privacy risk but the company not being clear about it is going to anger a lot of privacy-conscious folks out there.

While not mentioned, the same behavior is likely going to be exhibited by other iPhones as well including the iPhone 11.

It is possible that Apple is collecting location data even when the option is disabled for Find My device feature. The new Find My app in iOS 13 works even in offline mode using a number of advanced techniques. Apple is yet to reply to more follow up questions from the security researcher which should provide further clarity on this situation.

[Via Krebs on Security]