from Hacker News

Apple allows some iOS apps to track user locations via lists of nearby SSIDs

by lloyds_barclays on 12/21/23, 2:18 PM with 300 comments

  • by paxys on 12/21/23, 4:24 PM

    Reading through the linked docs, this API seems to specifically be for apps created by owners of WiFi hotspots to help users connect to those hotspots (https://developer.apple.com/documentation/networkextension/h...).

    > NEHotspotHelper allows your app to participate in the process of authenticating with hotspot networks, that is, Wi-Fi networks where the user must interact with the network to gain access to the wider Internet.

    > NEHotspotHelper is only useful for hotspot integration. There are both technical and business restrictions that prevent it from being used for other tasks, such as accessory integration or Wi-Fi based location. Before using NEHotspotHelper, you must first be granted a special entitlement (com.apple.developer.networking.HotspotHelper) by Apple.

    Which makes sense, but then why exactly are apps like WeChat and Alipay granted this entitlement?

  • by coldcode on 12/21/23, 2:47 PM

    FYI, that API requires entitlements to be used, which are only available if you request them from Apple and justify their use. It's not a general-purpose API any app can use.

  • by eduction on 12/21/23, 3:22 PM

    I thought users were prompted to give permission for this already? I get asked if I want to give “local network” access to apps sometimes (- lot these days actually) which I take to mean the ability to see local WiFi hotspots. I almost always deny this (and after reading this just turned it off for Spotify). I think the dialog that asks for permission could be improved, though, as most people don’t realize this can be used to deduce their location.

  • by peddling-brink on 12/21/23, 2:51 PM

    Docs: https://developer.apple.com/documentation/technotes/tn3111-i... I’d guess a review would stop the smaller spam apps, but not the big players, as noted by the author and other commenters.

  • by thih9 on 12/21/23, 4:21 PM

    Which popular apps use that? Is it possible to check this?

    Like most here, I don’t have Wechat or Alipay installed. But I’m interested in e.g. Instagram, Facebook, Whatsapp, Twitter, Tiktok, Snapchat, Chrome, Firefox, Photoshop, Lightroom, etc.

  • by forward1 on 12/21/23, 9:14 PM

    Can we talk about the fact iOS/macOS turns on the Wifi and Bluetooth radios after each system update? Almost as if the devices were made deliberately to maximize spying, contrary to the marketing lullabies.

  • by captn3m0 on 12/21/23, 4:44 PM

    Now I'm curious - which other apps have this entitlement? Is there a way for me to find out which apps on my phone have this entitlement?

  • by ralmidani on 12/21/23, 5:18 PM

    This is one of the majors problems with completely locked-down platforms. Assurances that the owner of the platform respects your privacy and prevents others from violating it are really just a pinky promise.

  • by dang on 12/21/23, 6:05 PM

    We've heard complaints that this title is overstated, and I'd be happy to replace it with a better (i.e. more accurate and neutral) one, if anyone has a suggestion?

  • by mrpippy on 12/21/23, 2:52 PM

    It’s worth noting that use of NEHotspotHelper requires a special entitlement (com.apple.developer.networking.HotspotHelper) that you have to apply for, and presumably Apple won’t grant unless your app has a legitimate need for it.

    That said, this maybe shows an incompatibility between Apple’s privacy strategy and “super-apps” like WeChat and AliPay. When a company shoves all functionality into one app, that app suddenly has all the entitlements, and it’s harder to tell when and how any sensitive data is being used.

    The West generally doesn’t develop apps this way. For example, Comcast has a separate “WiFi Hotspots” app. Although LOL, they posted 2 days ago that its functionality is being combined into the main Xfinity app. Maybe the West is catching up.

  • by m463 on 12/22/23, 12:36 AM

    turn off location services, your phone still contacts ls.apple.com

    deep links, they go deeper than you think.

    ibeacons provide very precise indoor location, think of all the behavioral data a store app can collect.

    apple is not really your friend.

    seriously, apple should let you

    - know what is running

    - know what network traffic happens

    - control these thigns

    - run your own programs

    I would love an ios firewall program or non-neutered little snitch

  • by mannyv on 12/21/23, 4:54 PM

    They're not tracking locations because they're not using GPS.

    They are checking the environment for stuff that might have known locations, which is different. You can do the same with bluetooth/BLE.

  • by cglong on 12/22/23, 2:42 AM

    I wonder if Android's corresponding API has this same vulnerability. Based on my reading, it doesn't seem like it https://developer.android.com/develop/connectivity/wifi/wifi...

  • by ynniv on 12/21/23, 3:32 PM

    I thought local network access and WiFi details also required location services access for this reason.

  • by KindAndFriendly on 12/21/23, 7:00 PM

    For the last few months, I am consistently receiving spam calls (on my mobile number) shortly after I left the house regardless of weekday, time etc.

    I never thought about the idea that an app can track when I leave my (most frequently) used WiFi and derive from that I left home.

  • by Pesthuf on 12/21/23, 6:15 PM

    This three class developer system on iOS is ridiculous. There's the normal developer who can do little more on iOS that you couldn't also do with a web app. There's the "blessed" developer with special entitlements that lets them violate the privacy of their users in new and fun ways and also provide features nobody else can so the normal developers can't compete with their app. And then there's Apple and for their apps, the restrictions everyone else has to deal with are little more than suggestions. Wouldn't want third party apps to compete with Apple's on their own platform.

    If there's a legitimate use for these entitlements, everyone should be able to use them. And the ultimate choice for what an App should and shouldn't be able to do should be in the users' hands. But Apple needs to protect their shareholders from this horrid vision of the future.

  • by tqwhite on 12/21/23, 4:34 PM

    My iPhone asks if I want to allow an app to access the Local Network. I assume that this

    1) means that Apple does cover this situation and

    2) my opinion that the phrasing "Apple allows applications to track user locations without authorization" is contemptible

    are both true.

  • by raylad on 12/22/23, 10:42 AM

    Is there a similar capability for Bluetooth?

    I am trying to understand how TikTok can suggest "people you may know" when I have not shared my contacts, but have sat next to those people recently.

    Bluetooth seems the most likely.

  • by graftak on 12/21/23, 9:18 PM

    The latest iOS allows more (all?) automations to run without user acknowledgement so I made one that fully disables my WiFi when I leave my home.

    This does not solve the entire problem of course, but at least alleviates some of it.

  • by bengale on 12/22/23, 8:18 AM

    Is this how Tado does home WiFi detection for geofencing?

    Our company has an app that does geofencing and we’ve had no end of issues getting it to work consistently. This would have been useful.

  • by toasted-subs on 12/21/23, 5:59 PM

    Apple sometimes provides a prompt for letting photos be shown. Seems like sometimes they expose all your photos to application without asking.

    Seems worse to give your users a false sense of security.

  • by tinus_hn on 12/21/23, 3:25 PM

    One should realize that what they call ‘track user locations’ is actually ‘get a list of visible SSIDs’.

    Should be behind a permissions check, but not the end of the world.

  • by EchoReflection on 12/21/23, 6:43 PM

    case study in the power of word choice, this “headline” reads “Apple allows SOME iOS apps to track"... but the actual article to which this page links does not include the word "some", making (imo) Yingyu's article seem to indicate a much more nefarious situation.

  • by tremarley on 12/21/23, 7:31 PM

    And unfortunately, there is no way to truly turn off WiFi & Bluetooth on iOS devices.

  • by happytiger on 12/21/23, 6:55 PM

    Wait until people learn about Google sidewalk if they think this is bad.

    It is fundamentally intrinsic to the technology of most digital technology that: 1) their very data-driven nature leads to information gathering, and 2) the colossal and inherently inexhaustible recurring revenues in that data collection will always pull organizations and their leadership towards data collection at scale.

    The only conceivable framework for preventing information collection is to attach data privacy to the individual as an human right. Even “opting out” as an intrinsic default won’t be enough, though it is regulators’ and industries’ favorite kick-the-can strategy.

    Otherwise it’s just a question of time, as the incentive for profit is overwhelmingly attractive to companies, regulators and markets.

    Apple, for all the talk of privacy, cannot maintain the fiction of privacy while simulaneously answering to shareholders with a scale advertising business or really any advertising business of any revenue importance at all. Their promise of privacy for users died spiritually if not practically the moment they decided to dramatically expand their ad business, as it shifted the company from serving users as their customer with devices to making those same users the product to be sold.

    So this kind of thing is inherent and will continue to emerge from Apple. The opt-in, limited nature of who is allowed access matters very little. Just follow the incentives to understand corporate behavior.

  • by aurelien on 12/21/23, 6:22 PM

    Apple is evil

  • by _justinfunk on 12/21/23, 3:08 PM

    >Credit: This article was written with the assistance of ChatGPT for the purpose of refining my English writing.

    I appreciated this disclosure. The English was still a bit clunky - but it was a great use of the technology to open up the article to a wider audience. It felt sincere to me.

  • by kevinsync on 12/21/23, 5:41 PM

    Whenever location data collection comes up, I always think about that Seinfeld episode where Kramer is receiving misdialed MovieFone calls -- at first he just talks to the person and reads the movie times out of the newspaper. Very helpful.

    Eventually, he starts emulating the phone menus, asking the caller "Using your touch-tone keypad, please enter the first three letters of the movie title, now."

    When this doesn't work, he blurts out "Why don't you just tell me the movie you want to see???"

    Why in the holy hell do app developers who are trying to provide some kind of location-specific data not just ASK YOU WHERE YOU ARE? "I'm in Los Angeles" would suffice 99% of the time. If you go to Idaho, and care enough, change your location in that app -- now you get local bulletins about russet potatoes instead of encampment fires.

    This is a rhetorical question, no need to answer it, just screaming into the void.

  • by otterley on 12/21/23, 2:52 PM

    If you care about this, the best thing you can do to get Apple’s attention is to fill out the form at this site: https://www.apple.com/contact/feedback/ and select “product feedback.”

    Doing so was instrumental to persuading Apple a few years ago to add an option “allow only once” when apps asked for permission to access the user’s current location.

  • by mrtksn on 12/21/23, 2:47 PM

    TL;DR: Apps can access the nearby Wi-Fi hotspot SSID and MAC addresses through an API that is intended to help with connecting to hotspots. Then they can use this info to look-up in databases that collect SSIDs based on their locations.

    Seems like a valid concern, though the author's writing style can be off putting since has a tone with an agenda.

    However, AFAIK apps need to declare the use of this API and have a good reason for it(you fill up a form explaining why you need it and Apple has to agree to grant you the privilege). So, most likely your flashlight app is not tracking you.

    I'm sorry you don't like it but that's the truth, the author left out crucial details to make it juicier.

  • by andirk on 12/21/23, 3:46 PM

    Whether the user is aware and opt _in_ is the issue, right? But all of the network signals that are triggered by web applications, phone apps, OS, isn't it almost always possible to get SOME information about a user's geo location?

    There's a theory that Silk Road's Ross Ulbricht leaked his location via a Captcha on a website, despite actively covering his tracks.

    I think Bitcoin's Satoshi is/was an Australian bloke living in Japan because of his wording + timestamp on posts.

    I was able to send a friend a little hello message via a Facebook ad by hyper targeting them (before fb disallowed that), which also confirmed their location.

  • by cdme on 12/21/23, 4:39 PM

    My most blocked domain in nextDNS (which runs on all my devices) is metrics.icloud.com. books-analytics-events.apple.com is in the top 5 as well.

  • by m3kw9 on 12/21/23, 3:14 PM

    App that needs it will get it one way or another, is just not easy

  • by donohoe on 12/21/23, 2:52 PM

    How is it any different than an app that makes an request to their services API, thereby getting IP address which in itself can be used to get location information?

    There is always a vector for abuse, and I think Apple has taken large steps to reduce that. I find this story a bit of a non-event.