Brazilian journalist Rodrigo Ghedin reported earlier this month that Apple Maps has a privacy bug that allows the app to collect user location data without user permission.
Apple has fixed the bug in the latest iOS 16.3 update, and Apple issued a statement to AppleInsider and other tech media on Friday saying that there is no evidence that any app has exploited the vulnerability.
Apple said iOS has never been at risk and that the iFood delivery app mentioned in the report did not bypass user-set privacy controls.
"Apple has always believed that the right to know when to share data and with whom to share it should be in the hands of the user. We issued a privacy vulnerability advisory last week that only non-sandboxed apps on macOS could exploit. We then shared the code base to iOS and iPadOS, tvOS and watchOS, so the fixes and recommendations cover those operating systems as well, except they were never at risk. The claim that this vulnerability could allow apps to bypass user controls on the iPhone is false. One report also incorrectly implied that an iOS app was exploiting this or another vulnerability to bypass user control over location data. Our follow-up investigation concluded that the app was not circumventing user controls through any mechanism."
According to Brazilian journalist Rodrigo Ghedin, the local delivery app iFood can use the bug to track users’ locations in iOS 16.2, even if they turn off the app’s access to their location.