FYI, that API requires entitlements to be used, which are only available if you request them from Apple and justify their use. It's not a general-purpose API any app can use.
FYI, that API requires entitlements to be used, which are only available if you request them from Apple and justify their use. It's not a general-purpose API any app can use.
It’s worth noting that use of NEHotspotHelper requires a special entitlement (com.apple.developer.networking.HotspotHelper) that you have to apply for, and presumably Apple won’t grant unless your app has a legitimate need for it.
That said, this maybe shows an incompatibility between Apple’s privacy strategy and “super-apps” like WeChat and AliPay. When a company shoves all functionality into one app, that app suddenly has all the entitlements, and it’s harder to tell when and how any sensitive data is being used.
The West generally doesn’t develop apps this way. For example, Comcast has a separate “WiFi Hotspots” app. Although LOL, they posted 2 days ago that its functionality is being combined into the main Xfinity app. Maybe the West is catching up.
I love when I launch an app and then get a bevy of requests to access my Camera, my Microphone, my Contacts, etc...
I nope out and if the functionality of the app is trashed, so goes the app....
Google Maps constantly hounding me to turn on precision location services, asking me if I am navigating for a friend and to allow access to my contacts... Wow, no.
You don't think location is useful for a map ... ?
It wants precise location — which I take to mean war-driving WiFi. GPS I am okay with for a map app.
Precise location _is_ GPS, not the other way around.
IIRC, Non-precise location is cell tower level location or the like, possibly a 12 square mile area. It is also very cheap if the device is already connected to a tower.
Precise location may be from Apple's SSID database or from a GPS system.
Non-precise location may help with getting more appropriate search results but won't help you with turn-by-turn navigation.
Well, a physical map certainly doesn't keep pestering me for my location...
presumably Apple won’t grant unless your app has a legitimate need for it.
Increasingly clear that Apple is in charge of what happens on your devices not the users themselves.
Wasn't it ever thus?
I had the first iPhone up to the 3GS. It didn't feel that way then. Now there are continuous software updates that keep changing arbitrary and invisible policies.
I had the first iPhone up to the 3GS. It didn't feel that way then.
The history of smartphones is control being tightened further and further over time. With the phones you had, apps could track your location lots of different ways, and over time those data leaks are being bricked shut. Everything is moving in the direction from "Apps can do whatever they feel like" to "Apple controls what apps can do" to "The user controls what apps can do".
This specific leak seems like it's stuck in the "Apple controls what apps can do" stage, so hopefully this post will help get it moving again.
You’re just more aware of it now. The privacy controls are MUCH tighter now than they were in that era.
If you’re a software developer, you must understand that the user cannot actually understand what any code is doing. Even if you’re using open source, it’s an illusion to think you know what it’s doing. Heck, even the developer doesn’t know what it’s doing a lot of the time (how long does it take to figure out what’s happening with a tricky bug?).
So yes, Apple’s policies do mediate what a developer can do on behalf of the user. That’s how it works.
com.apple.developer.networking.HotspotHelper
Where do you revoke this entitlement on iOS? Settings → Privacy & Security → Local Network? Or is this something else?
General > Reset > Reset Location and Privacy Settings
You didn't grant any location access in the first place, so why would this work?
AFAIK entitlements are not necessarily exposed as toggles.
Is there a way for an end user to see which apps have this entitlement?
I don’t think you can unless you have a jailbroken device. If I remember correctly, entitlements are store in the AppStore receipt file.
You can view the entitlements from the extracted ipa by using the codesign tool. So it is totally possible to see if an app has this entitlement.
Musk wants Twitter to be a super app.
https://www.theverge.com/2023/7/26/23808796/elon-musks-x-eve...
He also wants you to pay for the privilege of having your personal data including picture and ID sent to an Israeli spook front company: https://www.aljazeera.com/news/2023/8/21/x-blue-users-will-n...
Big whoop. Consent is paramount and the assumption here that apple and you have aligned interest is pretty darn weak argument.
The only thing of note here is that apple don't want you do know about it, which kind of circles back to aligned interests...
So Apple decides which companies should have your location data? Niiiice
Facebook is a SuperApp. It had a WiFi-hotspot-finder in it for years.
TL;DR: Apps can access the nearby Wi-Fi hotspot SSID and MAC addresses through an API that is intended to help with connecting to hotspots. Then they can use this info to look-up in databases that collect SSIDs based on their locations.
Seems like a valid concern, though the author's writing style can be off putting since has a tone with an agenda.
However, AFAIK apps need to declare the use of this API and have a good reason for it(you fill up a form explaining why you need it and Apple has to agree to grant you the privilege). So, most likely your flashlight app is not tracking you.
I'm sorry you don't like it but that's the truth, the author left out crucial details to make it juicier.
i wouldn't be worried about my flashlight app tracking me, i'd be worried about the large players who probably GET the use of this API, google facebook etc etc.
As I said, it's a valid concern. However the author forget the mention that you need to apply and get approved to use this API. I find it dishonest and alarmist.
Here's the request form that you fill up for it: https://developer.apple.com/contact/request/hotspot-helper/
However the author forget the mention that you need to apply and get approved to use this API.
And? How is this any better? e.g. if I'm a dissident/etc. in China I would be much concerned about government affiliated large corporations being able to track my location than some random private developer (not that this specific API really matters that much if you're using those apps anyway).
I find it dishonest and alarmist.
I find it a magnitude or two less dishonest than Apple (a company supposedly focused on user private) not informing their users that this is happening and directly requesting their consent.
Your government can track you all the time you have your phone with you, they have authority over the infrastructure. They can also make device manufacturer to track you for them, later you will be a single digit increase in their transparency stats.
If you don't want the government track you, you will have to do much better than using mainstream consumer devices. Apple is not your spycraft supplier.
You would also have to not use a phone in general, since your carrier always knows where you are, by the nature of how cellular networks work. Your phone has a unique hardware identifier that is linked to your identity, and every tower knows which phones pinged it recently. Two towers are two points in a triangle, and you're the third.
Carriers constantly perform triangulation and keep records of phones' coordinates, which of course can be subpoenaed, and may be available more freely to government agencies, depending on how much abusive surveillance your local government does. Carriers have also sold this information to data brokers in the past.
I would absolutely be concerned about a flashlight app doing all the nefarious things. A flashlight app? Today? Still? Really? It's one of those apps that's absolutely useless since the OS provides this feature natively now. It is absolutely the type of app I would assume has no reason other than harvesting data.
You're conflating "utility to user" with "utility to developer". A flashlight app has no utility to the user, it doesn't really matter to me that it's useful to its developer (for collecting my personal data).
I'm not conflating anything. You didn't comprehend what I wrote.
If that app has ads then your info is being sent to advertisers.
Why would a flashlight app even need your location?
Except that there are data collection SDK companies where you can get paid as a developer in exchange for installing an SDK that will send customer data to the company. It's one way to monetize an app a little bit more.
TL:DR; Apps can access the nearby Wi-Fi hotspot SSID and MAC addresses through an API that is intended to help with connecting to hotspots. Then they can use this info to look-up in databases that collect SSIDs based on their locations.
This is the whole story. Thank you for writing it, and sorry that you're getting downvoted for it.
I'm sorry you don't like it but that's the truth, the author left out crucial details to make it juicier
I wish there was a way to know when people had downvoted with "this is true but I don't like that it's true".
I wish too. I hate it when I don't know why I'm downvoted.
I did not downvote you, but I did react a bit negatively to the comment about the language (we know it is chatgpt, at least in part) of the article. I was curious about the prompting, so I used a regular translator to get a feel of the original article, and I feel the original language seem OK (if my translators are half decent). I also reacted negatively to the last sentence in your comment, because to me, it felt like a truth-declaration based on an assumption (the author deliberately did not include...) - however, after translating the original and not being able to find anything about it there, either, I agree your assumption might very well be the truth, but this would still be intention-guessing, and that put me off a tiny bit. (if you read Chinese, all this would be an unfair assumption from my part, and I apologise :)
I would never downwote for such things, personally. I found your TL:DR to be good (including more information as well as replaying the mains of the article is great value, thank you!) to care about small stuff mentioned above. But you seemed to want to understand why some have downvoted, and as I got a bit of negative reaction from the parts mentioned, I thought I could explain my feelings for them, in the hopes this might actually be useful for you.
Thanks for this detailed feedback!
That's the only thing about getting downvoted here that irritates me -- I rarely know why people are downvoting. Sometimes I can infer why, but most often it's just a complete mystery.
Knowing why the downvotes are happening could be a useful signal to help me improve commenting in the future. Not knowing why just makes the downvotes informationless noise.
Sure, entitlements need approval from Apple. But clearly, apps are able to get it for undisclosed reasons and use it for tracking. Obviously, this goes against Apple’s guidelines and should be dealt with swiftly, especially now that it is public knowledge.
off putting since has a tone with an agenda
completely agree, I read 2 sentences and closed it.
Those crucial details don't really seem to make it much better to me.
One should realize that what they call ‘track user locations’ is actually ‘get a list of visible SSIDs’.
Should be behind a permissions check, but not the end of the world.
"Get a list of visible SSIDs" is exactly how phones derive your location. There's little distinction between seeing SSIDs and seeing GPS coordinates for 99.9% of the population.
Back in the real world SSIDs are a very coarse and not very reliable way of locating devices. You are exaggerating.
Visibility of multiple networks can be used to refine the position.
GPS takes time to acquire and isn't always available indoors. SSID method is quicker, and it's most likely the method your phone uses to get the position first.
As you say, it’s a method to get a coarse location and then refined using GPS which by the way does not really take time to acquire once you have downloaded the almanac and have the coarse location.
So this ‘allows applications to track location’ actually allows applications to track coarse location which then does not allow them to refine using GPS.
Not an exaggeration—Apple’s primary “location services” API, used on iOS/macOS, is just a lookup table for wireless APs’ MAC addresses. [1]
WiFi scanning is much less power intensive than GPS, much more reliable indoors, and often (in dense areas) more accurate even outdoors. iirc the iPhone only connects to “real” GPS in specific situations, such as when visible wifi signals are insufficient (e.g. highway driving).
[1]: https://www.appelsiini.net/2017/reverse-engineering-location...
It gives enough details that Android used to require apps to obtain ACCESS_FINE_LOCATION permission in order to get that information before splitting it off into its own permission. https://developer.android.com/develop/connectivity/wifi/wifi...
In 2012 or so I was able to do turn by turn navigation pretty reliably on an ipod touch that did not have any gps capabilities. I think you'll find coarse location is a little more specific than you give it credit for.
Can you please make your substantive points without swipes? (like "Back in the real world", "you are exaggerating", "no you're fantasizing" - https://news.ycombinator.com/item?id=38710396, and so on). This kind of thing is against HN's rules and also spoils the substantive points you're trying to make. If you'd make your substantive points thoughtfully instead, we'd appreciate it.
I built a small ap on an ESP (where SSID scanning is bread and butter). It would track my location to within a few yards. The down side is it needs multiple SSIDs to do that, so not so useful outside an urban environment.
Visible SSIDs are absolutely used to fingerprint location.
At least in the early days, every iPhone maintained a local lookup table between ssids and gps coordinates in a SQLite database.
https://www.networkworld.com/article/752872/security-apple-o...
That doesn’t mean seeing an SSID means you are at exactly that location.
If you are in a city you see 50 SSIDs at any given moment. Are you at those 50 locations at the same time? No. Is there a way to triangulate where you are exactly? No, its unreliable and not an exact science.
Is there a way to triangulate where you are exactly? No
The phone knows the signal strength of each ssid. Why can't it triangulate where it is?
It can and does.
you're all over these comments trying to convince everyone that SSIDs can't be used to determine location, yet you don't know how triangulation works?
are you trolling?
One should realize that what they call ‘track user locations’ is actually ‘receive GPS radio signals’.
Should be behind a permissions check, but not the end of the world.
lol
It’s the same thing. Listing visible SSIDs and comparing them to very comprehensive databases is the whole way precise geolocation works in many devices, like MacBooks. I think even phone navigation has GPS much less precise than you see on screen, and the extra precision is gained with this technique. Making this technique really work is a large part of the reason Google drove or walked every street in the world with their recording gig.
Reading through the linked docs, this API seems to specifically be for apps created by owners of WiFi hotspots to help users connect to those hotspots (https://developer.apple.com/documentation/networkextension/h...).
NEHotspotHelper allows your app to participate in the process of authenticating with hotspot networks, that is, Wi-Fi networks where the user must interact with the network to gain access to the wider Internet.
NEHotspotHelper is only useful for hotspot integration. There are both technical and business restrictions that prevent it from being used for other tasks, such as accessory integration or Wi-Fi based location. Before using NEHotspotHelper, you must first be granted a special entitlement (com.apple.developer.networking.HotspotHelper) by Apple.
Which makes sense, but then why exactly are apps like WeChat and Alipay granted this entitlement?
I don't know about Alipay, but afaict WeChat needs this feature for WeChat Wifi, which lets users connect to internet hotspots from their WeChat accounts https://mp.weixin.qq.com/s?__biz=MzI1NjA0NzQzOQ==&mid=265026...
The complexities and capabilities in the Chinese(well, most asia) mobile market are remarkable.
I always find it funny when people boast about how great certain things are in the US without ever have traveled to HK, Singapore, Tokyo, Beijing etc...
Most people dont realize just how entangled mobile life is in Asia, way more than in the US.
I think I'm missing some context: ex. there's O(many) apps that offer hotspot connections in the US as well. And my understanding is there's a privacy concern, which I think would be exacerbated by a super-app like WeChat adding this.
What's the great certain things of all that?
Centralized superapps seem incredibly dangerous to privacy, given that the limited mobile privacy models are designed around per-app permissions.
1. Create app that does 1 thing
2. Add more features to app
3. Abuse superset of permissions
4. Gov leans on app owner
5. Gov abuses superset of permissionsI’m sure that’s valid but I’ve worked for mobile app companies and can guarantee features like this are added just to get the entitlement.
Ah now I see - to get all the entitlements they create a super-app that happens to use those things.
Then they can spy on us for our main use case
Because the Chinese market is too important. For wechat you can maybe argue that it's a "super app" and probably also can be used to connect to wifi hotspots, but for alipay I fail to come up with an explanation..
Alipay is also pretty much an everything app (it also has its own ecosystem of mini-apps built on Alipay's platform). Except for the social aspect, it's nearly interchangeable with WeChat.
Ah I see. It's been a while thanks to the pandemic that I've been there, and even then preferred just doing wechat so I dont have to deal with even more stuff. At least for regular payment almost all places accepted both options.
The sensible move would really be to break up these "everything" apps. Sure WeChat may have a wifi service, but if it is being used by 0.01% of the user base then why is everyone else forced to approve the permissions? Creating a separate "WeChat Wifi Connector" takes zero extra effort on their part.
You don't have to break up the app, just require user opt in to enable the feature for the app.
Even if only genuine hotspot apps got the entitlement, it is not a user-friendly privacy-first design. Such API use should trigger a user-visible permission dialog before apps get background-notified and user should be able to select the one of "allow-once, allow while using, allow-in-background, never" and the app activity should show up in app privacy reports.
API seems to specifically be for apps created by owners of WiFi hotspots to help users connect to those hotspots.
VPN apps also seem to use it: https://github.com/pia-foss/mobile-ios/blob/4618b55161ec5b8b...
Its a more basic question to me, why do these apps need a special entitlement? Couldn't they ask users for permissions like any other app, presumably with a good reason to go along with it since location is needed for some features?
I thought users were prompted to give permission for this already? I get asked if I want to give “local network” access to apps sometimes (- lot these days actually) which I take to mean the ability to see local WiFi hotspots. I almost always deny this (and after reading this just turned it off for Spotify). I think the dialog that asks for permission could be improved, though, as most people don’t realize this can be used to deduce their location.
That’s for sending and receiving local network traffic, eg. talking to devices on the same subnet, and discovery of Chromecast and similar targets.
Edit: AirPlay does not require this permission.
You’d think that AirPlay would be abstracted away by an OS API that does the local network discovery itself.
In my experience, it is. My podcast app of choice doesn’t have that permission (I don’t even think it asked for it), but it has the ability to bring up the system audio output selector widget and do AirPlay.
If anything, I usually see this for apps that want to do playback via Chromecast/Miracast. The well-behaved apps wait until the user interacts with Chromecast output, the iffier ones ask on first launch.
AVRouting in iOS 16 allows for a Media Device Discovery Extensions, which allows for a proper ChromeCast or similar app to provide media streaming in the same interface as AirPlay.
So far there doesn't seem to be any traction by Google to migrate to this.
I don't believe it is necessary for airplay, but probably is for Chromecast, Sonos, and many devices to establish ad-hoc connectivity for setup and operation.
I take this popup to mean that they want to fingerprint and locate my home network or backdoor it somehow. I ALWAYS deny this access unless the app specifically requires it, and that is rare.
WiFi based geolocationing should be a well known privacy threat by now. The popup should really communicate that better and provide tighter controls.
I take it to mean that it will scan my lan (plus tailnet?) for services. Like a Hue bridge or a Sonos speaker or a Chromecast etc.
As a developer, the annoying thing about the "Local Network" permission is that:
1) It's poorly implemented. Unlike other permissions, there's no way to explicitly trigger the prompt. It just pops up at Apple's discretion. There's no way to give it a "soft landing" for cases where it's necessary for core app features. And there's no way to check if the permission has been granted or not.
2) More importantly: Apple's own apps don't trigger this warning, which makes the playing field unfair. AirPlay etc. work seamlessly, whereas any competitor's tech doesn't. And as a developer, since you can't tell if this permission has been granted or not, you're left with a poor user experience.
I'm particularly fed up of (2). If Apple is going to introduce restrictions, they need to apply to their own apps as well. AirPlay and AirDrop need to each ask for Bluetooth and local network access. The Photos app needs to trigger the "Select photos, Allow All, Deny" prompt on launch. The Camera app shouldn't be able to write to the photo library without triggering the same prompt too.
That gives them an incentive to design the user experience around these restrictions well, and maybe be more creative with how to solve for this too rather than confusing dialogs.
Currently they have a disincentive to design this stuff well. Any iOS developer that's had to work with these APIs knows that they are designed absolutely awfully with arbitrary and unexpected limitations.
Whenever location data collection comes up, I always think about that Seinfeld episode where Kramer is receiving misdialed MovieFone calls -- at first he just talks to the person and reads the movie times out of the newspaper. Very helpful.
Eventually, he starts emulating the phone menus, asking the caller "Using your touch-tone keypad, please enter the first three letters of the movie title, now."
When this doesn't work, he blurts out "Why don't you just tell me the movie you want to see???"
Why in the holy hell do app developers who are trying to provide some kind of location-specific data not just ASK YOU WHERE YOU ARE? "I'm in Los Angeles" would suffice 99% of the time. If you go to Idaho, and care enough, change your location in that app -- now you get local bulletins about russet potatoes instead of encampment fires.
This is a rhetorical question, no need to answer it, just screaming into the void.
You want to change your location in every app manually, even when your device has a GPS receiver installed?
A happy medium would be if as part of the location-granting prompt, you could tell the OS "just give a city-level fix— this app doesn't need to know exactly where I am".
It'd make for a useful additional option, as long as the app doesn't know it's happening. There are already ways to spoof GPS location, as many pokemon go players know.
iOS already has an option to give a very loose fix to an app.
As someone who keeps GPS off, absolutely.
Not that I think I can trust the phone actually disabled the GPS, but there is no reason my movements need to be tracked and recorded in detail. Make them go through the effort and pull up all the cellphone towers I ping.
Day to day, there is a very good chance I am still in my home city as first configured.
Since Android 12, there is the option to choose between providing "precise" and "approximate" location data to an app. I have found it quite nice, even if it sometimes breaks a random app if a developer hasn't planned to use it.
https://www.howtogeek.com/763227/what-are-precise-and-approx...
I know you said not to answer, but for everyone else, apps can already do this using the OS's native permission controls, as of iOS 13 with the "Allow Once" option and as of Android 11 with the "Only this time" option.
My iPhone asks if I want to allow an app to access the Local Network. I assume that this
1) means that Apple does cover this situation and
2) my opinion that the phrasing "Apple allows applications to track user locations without authorization" is contemptible
are both true.
I'm sure giant pan-national ultracorp apple appreciates your defense of them.
Could you please not post unsubstantive comments and/or flamebait? It's not what this site is for, and you can make your substantive points without it.
If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.
That's a different permission. My understanding is it is not necessary to read WiFi details, which just needs an entitlement from Apple and no user prompt.
Pretty sure that's a different thing just to prevent tcp/ip connections to other devices on your local subnet after you have already joined a wifi.
Which popular apps use that? Is it possible to check this?
Like most here, I don’t have Wechat or Alipay installed. But I’m interested in e.g. Instagram, Facebook, Whatsapp, Twitter, Tiktok, Snapchat, Chrome, Firefox, Photoshop, Lightroom, etc.
I know I sound like a broken record but I really do think app stores owe us the ability to see, in advance, what permissions an app will request.
I shouldn’t have to download and install the app just to see what kind of behaviors it is going to attempt.
The app stores know this information and it would be trivially easy to present it in the details of the app prior to down loading.
In the Play store it is possible to see what permissions are required and data is collected.
I wonder if it is possible, as an Apple developer, to query "permissions requested" via some other channel ?
I don't know anything about the ways Apple developers interface with the app store to submit or update or index their apps ... is it through xcode ?
I wonder if there is some function in that toolchain that actually does what I am proposing ...
Yeah, this should absolutely be standard.
Docs: https://developer.apple.com/documentation/technotes/tn3111-i... I’d guess a review would stop the smaller spam apps, but not the big players, as noted by the author and other commenters.
Thanks. The docs confirm that an entitlement is required to call this API — still does not make clear to me whether the presence of the entitlement brings up a prompt allowing the user to deny the use of the API.
If it does, it would be for network, not location. Per the rules, this isn’t a location api, except it actually is.
Iirc Android has always asked for location to enable Bluetooth, I wonder if there are similar apis there?
Yeah, Apple may want to rethink Network != Location.
There is a setting to allow location for the "Networking and Wireless" system service. I wonder if disabling that would prevent this from working?
This is one of the majors problems with completely locked-down platforms. Assurances that the owner of the platform respects your privacy and prevents others from violating it are really just a pinky promise.
I think the perspective can be incorrect. No one expects Apple to get it perfect. Computing platforms are legitimately hard to secure, especially when you’re talking about privacy which is a lot more amorphously defined culturally vs typical CS security which is defined as subverting technical access controls.
The key question is whether Apple will play a curator role in trying to reign in the ecosystem. They have in the past (eg Uber was doing shady shit and there was a game of chicken to get them to stop). Of course Alipay and WeChat may be harder especially how Apple China is such a huge market for Apple and critical to their success now. It’ll be interesting to see how Apple adjusts to this over the next few years.
Open platforms also have this problem and also operate on pinky promises (perhaps even worse) so I’m not sure the point you’re trying to make unless it’s that “well if this problem isn’t solved I’d rather have an open platform”. The problem with that argument is that there are many issues and this is only one failure case which may be addressed in the future whereas open platforms have this one and many more that are unadressed.
Open platforms can be reviewed and fixed more easily and faster
They're not tracking locations because they're not using GPS.
They are checking the environment for stuff that might have known locations, which is different. You can do the same with bluetooth/BLE.
This is a distinction without a difference.
The user must be in control of whether their location is disclosed to an app.
You can do the same with bluetooth/BLE.
Not anymore you can't. Sometime before 2020 apple, and also google, started treating BLE scanning as an operation needing location permissions. (I had to deal with this transition while submitting an iOS app that connected to a BLE device which actually had a GPS module in it)
As of now, I still have to turn on location on my android phone to connect to some BLE devices.
How is it any different than an app that makes an request to their services API, thereby getting IP address which in itself can be used to get location information?
There is always a vector for abuse, and I think Apple has taken large steps to reduce that. I find this story a bit of a non-event.
There’s a huge difference!
Wi-Fi positioning is usually accurate within a few meters; my IP is frequently on the other side of the globe (when using a VPN or just roaming globally).
IP gives you a rough location (like which city at best), SSID/BSSID can give you street/building level accuracy if it's in a database like https://wigle.net
Considering the scale of these apps, I'm guessing they have internal wifi<->location databases with fairly great accuracy.
Whether the user is aware and opt _in_ is the issue, right? But all of the network signals that are triggered by web applications, phone apps, OS, isn't it almost always possible to get SOME information about a user's geo location?
There's a theory that Silk Road's Ross Ulbricht leaked his location via a Captcha on a website, despite actively covering his tracks.
I think Bitcoin's Satoshi is/was an Australian bloke living in Japan because of his wording + timestamp on posts.
I was able to send a friend a little hello message via a Facebook ad by hyper targeting them (before fb disallowed that), which also confirmed their location.
There's a theory that Silk Road's Ross Ulbricht leaked his location via a Captcha on a website, despite actively covering his tracks.
How?
Assuming this is actually the case, probably a lot of heuristics that got "close enough" to his actual location.
We've heard complaints that this title is overstated, and I'd be happy to replace it with a better (i.e. more accurate and neutral) one, if anyone has a suggestion?
"iOS apps can track a user via SSID scan with a special entitlement"
I think that best describes it? Not sure but I agree the title as-is doesn't really ring true after reading the article.
My most blocked domain in nextDNS (which runs on all my devices) is metrics.icloud.com. books-analytics-events.apple.com is in the top 5 as well.
Hmm … I don’t see that in my nextdns logs. Is that a custom block you put into place or are you using a different filter list then I am?
I thought local network access and WiFi details also required location services access for this reason.
Apple sometimes provides a prompt for letting photos be shown. Seems like sometimes they expose all your photos to application without asking.
Seems worse to give your users a false sense of security.
If you care about this, the best thing you can do to get Apple’s attention is to fill out the form at this site: https://www.apple.com/contact/feedback/ and select “product feedback.”
Doing so was instrumental to persuading Apple a few years ago to add an option “allow only once” when apps asked for permission to access the user’s current location.
App that needs it will get it one way or another, is just not easy
Now I'm curious - which other apps have this entitlement? Is there a way for me to find out which apps on my phone have this entitlement?
Apple is evil
Credit: This article was written with the assistance of ChatGPT for the purpose of refining my English writing.
I appreciated this disclosure. The English was still a bit clunky - but it was a great use of the technology to open up the article to a wider audience. It felt sincere to me.
This three class developer system on iOS is ridiculous. There's the normal developer who can do little more on iOS that you couldn't also do with a web app. There's the "blessed" developer with special entitlements that lets them violate the privacy of their users in new and fun ways and also provide features nobody else can so the normal developers can't compete with their app. And then there's Apple and for their apps, the restrictions everyone else has to deal with are little more than suggestions. Wouldn't want third party apps to compete with Apple's on their own platform.
If there's a legitimate use for these entitlements, everyone should be able to use them. And the ultimate choice for what an App should and shouldn't be able to do should be in the users' hands. But Apple needs to protect their shareholders from this horrid vision of the future.
That’s not really any consolation, since (according to the article) Apple has granted that entitlement to WeChat and Alipay.
Yes, these are “super-apps” and Wi-Fi hotspot services are probably part of their offerings, but that’s just more reason this should be a user-grantable permission like “local network access”. If I don’t care for the hotspot feature, I don’t want the app to have that capability.
Certain apps have always gotten special treatment. If it’s big enough to mess with phone sales they’re allowed nonsense a normal dev would be permanently banned for.
Ex: all the stuff FB has been caught doing over the years
My understanding (no first hand experience) is that WeChat and Alipay are basically required in China. If a phone doesn’t have them, it’s worthless and won’t sell.
So naturally they too can do nonsense that would get the rest of us booted to space.
Why does apple get to decide which app gets automatic access to my private data, on my device, without needing to ask me?
Because this is how all operating systems work.
If Microsoft wanted to give special apps access to your private data without asking, then that is exactly what would happen.
The same thing is true in Linux, other than we'd expect that the open source nature would have users going "Yo, WTF"
That's like saying "because that's how locks work, the company who sold you the lock can just come open your door".
This is exactly correct, though you don't want to admit it's the case it seems.
I mean, we just allowed Car Manufactures to pump as much contact data and location data as they can off your phones and sell it to whomever they'd like risk free and legally.
We have laws against physical trespassing, but when it comes to 'data' trespassing on applications that you install or come with your phone we're still in the wild west.
I think you're both right. the misunderstanding here is a difference between is and ought. pixl97 is describing the current state of things, not saying they ought be this way (please correct me if I'm wrong). stavros is describing the way things ought to be.
Yes, exactly. It is that way, but it should be illegal to do that.
> and sell it to whomever they'd like
Is there any evidence that car manufacturers are harvesting data from drivers' phones and selling it without consent?
Android requires the app to ask the user's permission to read WAP identification details. Previously, the app had to ask for location permission, and now there is a special permission just for this. https://developer.android.com/develop/connectivity/wifi/wifi...
Does your employer have a donation matching program?
It’s a great time of year to donate to the EFF.
It's so hard to prioritize non-profits these days. EFF is huge and super relevant, but so are aid programs to Ukraine or I/P, and reproductive health orgs. There's a lot going on I want to contribute to.
I wonder if there is a service to automate small (or large) donations to multiple organizations on a regular basis similar to an investment service?
Edit: I can only find services marketed towards the nonprofit, not for the donor. A service that aggregated and automated all the nonprofits I want to regularly donate small amounts to would be great. I think it would be important to not require the nonprofits direct involvement in order to allow me to donate as diversely as I want.
Benevity is a company that basically administers company matching donations.
Database of approved nonprofits, can set up arbitrary amounts as recurring payments, and automatic matching if you do the donations through their site.
It’s not quite “I got $500 this month to give back, scatter it amongst my chosen charities” but you could definitely use a service like that to set up baseline donations.
I don’t do scheduled donations; prefer to spool it up and make a splash when employer offers 2:1 match. Don’t think I’ve seen that in all of ‘23, though, so settling for 1:1 now.
Thank you for this. I realize this suggestion fits the context of the thread, but I am currently self employed so I would love another suggestion that isn’t necessarily geared toward integrating with employer match programs.
I’m with you on all those.
I just did my end of year matching gift donating through the portal at work.
I guess I left out Ukraine, which needs fixing. But did get FSF, EFF, the regional food bank, and a niche human rights org.
Let me tell you, causing my employer donate to the EFF in particular is always one of the high points of my year. Even better when there’s 2:1 matching, which they seem to not offer this year (I dig deep in my own pocket when they do have that because, hey, 2:1!). It’s hilarious and oh so satisfying.
I donate to NOYB, but I second your sentiment.
FWIW I used WeChat a few years ago and at that point it definitely asked for local network access (which is what this article is about; a mechanism for collecting SSIDs which can then later be correlated to locations).
If there is an entitlement, it is as of yet unclear whether it means a consent dialog/privacy toggle or not. IIRC an entitlement only means you can ask for this sort of access, not get it automatically, but I may be wrong (I’ve never gotten far in iOS dev).
We can argue that this feature is misnamed, regular users will not understand what it is and would not be giving informed consent, and I can get behind that, but “automatic access to my private data on my device” looks like jumping to conclusions.
Hm, I assume any app can ask for whatever it wants, but that's just an assumption. I don't know if app developers need to apply to be able to request permissions, but I don't own an iPhone.
I was remembering when trying out iOS development years back that entitlements were needed for many things and the ones I tried involved a consent screen.
From looking at https://developer.apple.com/documentation/bundleresources/en... I would say there are many more entitlements than consent screens, the phrasing suggests there is no 1:1 mapping between them and is not clear on whether they reliably come with consent screens (I suspect not).
It is very unfortunate that there is little clarity on that in the docs, and that entitlements are not exposed anywhere in the GUI. Sure, they are too technical, but they could at least be shown in some advanced info pane. I am seriously considering if I can dejail an old iPhone and perhaps inspect some big name apps for what they have been entitled to.
Certain things require permission from Apple to be able to even use. The API in question here is one of them.
Other things are just available to any developer but have to have a user prompt, for example saving to the photo library.
Is that what "local network access" means? I thought that was for controlling network connections to LAN ips and/or to send multicast packets (eg. mdns).
It is different from continuously getting a list of all SSIDs within your Wi-Fi range, even those you never connected to. This is what allows shady apps infer location (this, and massive databases of SSID matched to coordinates).
What you described is also a feature of WireGuard iOS, and it needed no permission.
Because you bought a closed-source device by which you surrendered your privacy to whatever the source-controlling company wants.
Quite a few apps run tests to find out if they're running on a rooted device, and refuse to continue if they are.
Dunno if these apps do that or not, but I can easily imagine that using them is a Hobson's Choice even in OSS utopia: take the horse offered (app with tracking) or don't have a horse.
There is no Hobson's choice in OSS utopia, as the outcome of "app with tracking offered only" is "fork app - tracking".
You can sit there and stew over the gall of those people to do it, but if you piss them off enough, it will happen.
Probably because you asked them for permission to use their phone and software.
They clearly purchased the phone, therefore it's not "their" (Apple's)
If every big app had to interrupt users to ask for simple things like performing http calls, usability would take a little hit, the nice "UX flow" of apple is a major selling point, so a very small percentage would buy Android phones.
Determining my house or even room level location is not at all equivalent to making an HTTP call.
And Apple does generally prompt for location permissions, as does Google on Android.
You buy Apple hardware, which is a pretty strong signal that you trust Apple.
I've asked similar questions before and am usually told that this is how Apple does things and it's what makes their users happy. It's in fact why they love and choose Apple. They trust Apple to make the right decisions, and this is in fact a big part of the value add of their products. This is much related to the walled garden approach. For example, ask about why sideloading should remain not an option at all, rather than something like Android where you can enable it if you want to but "Grandma" isn't going to accidentally do it. Apple users actively don't want that capability. It doesn't make sense to me, but that's because "I'm not their target market."
Because there's no rule saying they can't.
I think.
Legal advice about what is and isn't legal under GDPR (and equivalents) varies a lot.
No app gets special treatment for any of the user-grantable permissions like location, Bluetooth, local network access, contacts, photos...
What makes this any different? It really seems more like an oversight than a conscious decision, similarly to how (I believe) both iOS and Android have retroactively had to bucket some of the Bluetooth LE permissions into "location", since that's what you can effectively do with them.
Giving the world’s most valuable corporation the benefit of the doubt.
This is an interesting worldview to have in 2023.
It’s a pretty obscure API, and Apple has a strong interest in at least being perceived as pro user privacy.
And assuming for a second this is indeed an intentional backdoor in plain sight of the world: What’s in it for Apple?
Hanlon’s razor still cuts in 2023, at least for me.
Perceived is doing a lot of lifting there. The public largely cannot audit Apple's ACTUAL security.
What’s your basis for saying that Apple doesn’t provide special treatment to apps? I’ve directly experienced both of their special and their non public (phone calls only, refusal to communicate over email) processes.
I’m not claiming that at all in general, but I do believe it’s true when it comes to user-grantable permissions. Or do you have evidence to the contrary?
It could be. But the fact it’s behind a special permission you have to request from Apple tells me they likely think it’s secure enough.
See also McDonald’s being allowed to gate app functionality behind background location access
That’s adjudication of “soft” rules around permission optionality, which is a big problem, but nothing that lets apps bypass permissions outright.
That doesn’t excuse anything! This is not “oh poor small time devs”, this is paying customers being lied to by Apple.
Interesting that cutting monetary deals was a problem for Google, but special access APIs are fine.
Chinese state supported spyware spies on you? I'm shocked!
Lately I've witnessed a number of apps asking for Local Network permission ("Foo would like to find and connect to devices on your local network") when they have no business doing so in any possible way that I can think of.
Many do this if they play video, mostly to enable chrome cast.
Chrome Cast. There is no OS-level service for it to introspect the network looking for screens to cast to, so each app has to drop in a SDK - which then has to have permission to search the local network looking for screens.
This was improved in recent iOS, but I never count on Google updating their SDKs to take advantage of iOS features on any sort of schedule. Even when they do, it will require third party apps to individually update as well.
So only the big apps can spy on you? The poster is Chinese so he cares about those 2, but how about facebook and google?
Spyware can be hidden in every piece of closed software, hardware, firmware with access to communications, so unless someone makes a 100% open device, from the first bit to the last screw, there's no 100% guarantee to be free from spyware.
But if Facebook/Instagram/Messenger (or Alipay / WeChat as mentioned in the article) has this entitlement and does fishy stuff, I guess this can actually be a large privacy issue?
Does Apple do any analysis of entitlement usage and withdraw them when abused? A similar thing I remember is the Facebook VPN "scandal" where I think Apple withdrew the Facebook enterprise signing certificate?
What do entitlements have to do with not asking for user permission though? Seems like separate issues.
Most entitlements though trigger a privacy prompt to allow the user to disable the functionality. Without writing a test app, I don't know that this is the case with this entitlement.
I think it should ask the user's permission.
Keep in mind that in a corporate context, not asking the user for permission or explaining what/why you are doing something is the (sociopathic imo, but nevertheless) norm. To the degree you do disclose something like that it is inevitably hidden away or obfuscated by being put somewhere in the UX that no one ever really goes.
Like seriously. I had the argument before;
Architect: we're going to fingerprint users. Me: are you going to disclose that? Architect: Of course not. Me: It's their device. You should ask. Architect: That defeats the point. Me: You either don't understand property rights, or clearly have issues with the concept of consent.
The entire IT space has been decades of building while eliding the fact these experiences are fundamentally being driven on someone else's hardware.
But that's just the world we live in I suppose.
Is that better or worse? "Don't worry you or I cannot exploit this, only large corporations and data aggregators can."
That’s almost worse that it’s kind of a side door to the users rights. That’s generally only available to groups with the resources or know how to get it.
I understand it’s not ubiquitous.
Well as long as it is just Apple that is deciding who can track me without my permission then that's okay I totally trust my corporate overlords for the wise and great Apple is incorruptible and without fault.