Adam Shostack :donor: :rebelverified:Lyft is set to allow location services βwhile usingβ. Wtf happened here? Is βrunning in the backgroundβ using? Do I need to kill apps to make that work? (I used it this morning to get to the airport)
Adam Shostack :donor: :rebelverified:It shows as the 2nd app in swipe-up view, but I didnt open it.
Kos :verified_blobcat:@adamshostack@infosec.exchange I've noticed this as well. Privacy center didn't indicate that it was using location. I enabled App Privacy Reporting on iOS intending to check that, but haven't had it pop up recently. It might be the "Local Network" permission, scanning for known airport SSIDs.
Osman@adamshostack@infosec.exchange were you on WiFi? If so, maybe IP GeoLocation from your cellular or WiFi connection? Either back, in iOS thereβs a βBackground App Refreshβ knob youβll want to disable.
Adam Shostack :donor: :rebelverified:@osman@hachyderm.io Does background app refresh allow arbitrary net activity? I thought π
t went through some apple infra but donβt recall why I think that π€¬
Adam Shostack :donor: :rebelverified:@osman@hachyderm.io That allows location?
Osman@adamshostack@infosec.exchange No.
The "Background App Refresh" setting allows for an app to execute code/tasks while in not in the foreground[1]. If you disable the permission for an app or for iOS-level, it reduces the probability of an app is allowed to persisting executing code when not in the foreground. Developers can still do shenanigans to persist beyond expectations though.
So if enabled, the setting allows the developer to register arbitrary background tasks such as analytics, cron jobs, etc. So Lyft MAY have registered a background task where they poll for network state changes or it may be time based or whatever else.
These background tasks allow for deduction of certain events (e.g. timezone change, IP change, etc.)
If you don't want to allow apps to persist in the background, you either have to turn it off system-wide OR on a per-app basis OR enable "Low Power Mode"[2], which also disables background tasks.
[1] Background App Refresh dev documentation: https://developer.apple.com/documentation/uikit/using-background-tasks-to-update-your-app
[2] Low Power Mode: https://support.apple.com/en-us/101604
#privacy #programming #iosdev
Chris Petrilli@adamshostack@infosec.exchange @osman@hachyderm.io could be using something like (what was) Skyhook under the covers and slipping geolocation past Appleβs API restrictions.
Osman@adamshostack@infosec.exchange No.
The "Background App Refresh" setting allows for an app to execute code/tasks while in not in the foreground[1]. If you disable the permission for an app or for iOS-level, it reduces the probability of an app is allowed to persisting executing code when not in the foreground. Developers can still do shenanigans to persist beyond expectations though.
So if enabled, the setting allows the developer to register arbitrary background tasks such as analytics, cron jobs, etc. So Lyft MAY have registered a background task where they poll for network state changes or it may be time based or whatever else.
These background tasks allow for deduction of certain events (e.g. timezone change, IP change, etc.)
If you don't want to allow apps to persist in the background, you either have to turn it off system-wide OR on a per-app basis OR enable "Low Power Mode"[2], which also disables background tasks.
[1] Background App Refresh dev documentation: https://developer.apple.com/documentation/uikit/using-background-tasks-to-update-your-app
[2] Low Power Mode: https://support.apple.com/en-us/101604
#privacy #programming #iosdev
Chris Petrilli@adamshostack@infosec.exchange @osman@hachyderm.io could be using something like (what was) Skyhook under the covers and slipping geolocation past Appleβs API restrictions.