> The Tim Hortons app asked for permission to access the mobile device’s geolocation functions, but misled many users to believe information would only be accessed when the app was in use. In reality, the app tracked users as long as the device was on, continually collecting their location data.
Why is this even technically possible? The iPhone app permissions settings has three modes: “always”, “when in use”, and “off”. I assume the second setting only allows the app to collect data when the app is actually in use?
Does Android not distinguish between “always” and “when in use”?
As far as I can tell, this happened between 2017-2020, so things have changed a little bit. You’re correct in that the second setting only allows an app to query native location data from the OS when the app is open but:
1) I’m assuming that’s not the scope Tim hortons asked for with their permission dialog (they lied about it, sure, by saying they would only use your location when you were using the app, but they presented the user with a prompt that granted them unfettered access). I’m guessing most users didn’t even notice, or aren’t aware of the consequences.
2) they relied on some sketchy third party company called “radar,” and I’m sure they also use heuristics beyond location data to figure out where the users are.
I’d love to know if the changes apple made with iOS 14.5 would have made this more difficult?
Anyway, this is disgusting and I wish there were serious, unavoidable repercussions.
(Disclosure: I only skimmed the actual report, I didn’t read the whole thing)
Why is this even technically possible? The iPhone app permissions settings has three modes: “always”, “when in use”, and “off”. I assume the second setting only allows the app to collect data when the app is actually in use?
Does Android not distinguish between “always” and “when in use”?