Why iPhone users don't need to worry about a recently reported Apple Maps privacy bug
Earlier this month, when Apple released iOS 16.3, we told you that one of the security updates fixed by the update was one listed as CVE-2023-23503. The use of Common Vulnerabilities and Exposures (CVE) tracking numbers is that it helps the public more easily track vulnerabilities. This privacy bug was related to Apple Maps and if exploited, it could allow attackers to "bypass Privacy preferences."
Well that doesn't sound good, does it. But Apple told 9to5Mac today that this vulnerability was never a threat to iPhone users. The vulnerability that was patched in iOS 16.3 "could only be exploited from unsandboxed apps on macOS." So as Apple said in its statement, "The suggestion that this vulnerability could have allowed apps to circumvent user controls on iPhone is false."
Sandboxed apps are given their own "sandbox" that they can "play in" to prevent them from accessing files used by other apps or from making changes to a device. Since all third-party apps available for the iPhone in the App Store must be sandboxed, the only way to install the unsandboxed apps that could exploit the vulnerability would be to sideload apps on the iPhone which Apple does not allow.
The iOS 16.3 update killed off some software flaws
So if iPhone users weren't at risk, why did Apple include the fix in iOS 16.3? Because the codebase for macOS is shared by iOS, iPadOS, tvOS, and watchOS, Apple decided to include the fix in all of the updates it released last week.
Apple also shot down a report that we included in the previously discussed story that said an iOS app called iFood (which is one of the leading food delivery platforms in Brazil) exploited a vulnerability that allowed it to access "a user’s location in iOS 16.2 even when the user denied the app all location access." Apple said that a "follow-up investigation concluded that the app was not circumventing user controls through any mechanism."
So there you have it folks. Your iPhone handsets were never at risk, and Brazilians ordering food from the iFood app were not allowing attackers to get your location data. Perhaps you'll be able to sleep better tonight.
Things that are NOT allowed: