Security News > 2021 > March > Flaws in Apple Location Tracking System Could Lead to User Identification
Vulnerabilities identified in offline finding - Apple's proprietary crowd-sourced location tracking system - could be abused for user identification, researchers said in a report released this month.
With "Hundreds of millions" of devices part of Apple's OF network, this represents the largest crowd-sourced location tracking system in the world, one that is expected to grow even further, as support for non-Apple devices is added to it.
Apple claims anonymity of finders, says that device owners can't be tracked, and that location reports are confidential, but a group of academic researchers with the Technical University of Darmstadt, Germany, identified vulnerabilities that could potentially lead to user identification.
Overall, they say, the system delivers on its promise for security and privacy, but two design and implementation flaws could allow for location correlation attacks, as well as for unauthorized access to the past seven days' location history, thus essentially resulting in user deanonymization.
The researchers discovered a security flaw in the OF implementation on macOS, which could allow a malicious application to access the location of all owner devices, without consent, completely circumventing Apple's restricted location API. Furthermore, location history can be abused to generate profiles and identify users.
"The attack essentially allows any third-party application to bypass Apple's Core Location API that enforces user consent before an application can access the device's location. Moreover, the attacker can access the location history of the past seven days of all the owner's devices," the researchers explain.