Getting users location without Core Location (Serious Privacy Issue)
| Originator: | mugunth.kumar | ||
| Number: | rdar://34052264 | Date Originated: | 24-08-2017 |
| Status: | Open | Resolved: | No |
| Product: | iOS | Product Version: | 11 |
| Classification: | Privacy | Reproducible: | Always |
Area: SystemConfiguration Framework Summary: In the latest iOS 11, it is still possible to access the WiFi AP and using the Mac Address of the AP, one can approximate user's location without showing the Privacy Prompt. Steps to Reproduce: I've made a proof of concept code and attached. Open the Xcode project in Xcode 9 beta 6 and run the app on a device. You should mostly be able to see user's coarse location without the location prompt. Expected Results: CNCopySupportedInterfaces and CNCopyCurrentNetworkInfo should return nil or randomized Mac Address. Note that, these APIs are deprecated in favour of NetworkExtension framework which doesn't​ have these issues. Observed Results: CNCopySupportedInterfaces and CNCopyCurrentNetworkInfo are returning correct results and this could infringe user's privacy. Version: iOS 11 (Xcode Beta 6) Notes: The device should be connected to WiFi and not a hotspot. Configuration:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!