Offline Finding allows you to locate Apple devices even if they aren’t connected to the internet. Apple has said the app protects user privacy, but reported security flaws in the software show anonymity is hard to come by on the internet. According to a recent paper published by researchers from the Technical University of Darmstadt in Germany, hackers could get unauthorized access to your location history for the past seven days and correlate it with your identity. “What this really shows us is that nothing is ever 100% secure, and even after Apple’s patches, attackers will eventually find new vulnerabilities to exploit,” Jason Glassberg, co-founder of cybersecurity firm Casaba Security, said in an email interview. “The bigger issue here is that user privacy can never be guaranteed, and people need to change their frame of mind from the idea of being ‘private’ to the reality of simply being ’less exploited.’”

Find and Identify

The Darmstadt team found that “the overall design achieves Apple’s specific goals” for privacy, but they discovered two vulnerabilities “that seem to be outside of Apple’s threat model” and could have severe consequences.  Experts say not to worry too much about these flaws, however.  “Although two security flaws were found in Apple’s Offline Finding feature, neither of them were particularly severe, and there have been no reported incidents of these vulnerabilities being exploited in the wild,” Paul Bischoff, a privacy expert for Comparitech, said in an email interview. “Apple has already patched the more severe of the two vulnerabilities, so iPhone owners should update their devices as soon as possible.” One flaw in the app would allow Apple to track users’ locations, which would go against its privacy policy, Bischoff said. “That being said, there’s no evidence suggesting Apple took advantage of this vulnerability, and the researchers didn’t say it could be exploited by a third-party attacker.” Another bug allowed an attacker to access location history stored on an iPhone, though they needed to infect an iPhone with malware first. While Apple may have patched this problem, the flaws in the “Find My” app spotlights how location data can reveal where someone lives and works. “For example, if a user has a specific mobile app for their car, a GPS stream might identify the trends of that user when they leave the office that could expose them to carjacking,” Mark Pittman, CEO of Blyncsy, a movement and data intelligence company, said in an email interview. “Similarly, if a user is sharing GPS from a dating app, it could be used by a predator to track and potentially assault a user.”

How to Protect Yourself

Suppose you’re concerned about your identity being exposed. In that case, you can opt-out of the “Find My” network in the Find My iPhone app settings, pointed out cybersecurity expert Chris Hazelton, director of security solutions at Lookout, in an email interview. “If they want to be doubly sure, users can turn off Bluetooth, which is used to connect to lost devices,” Hazelton said. “While it is difficult to stop your location from being tracked overall, one best practice is not to allow any app to track your location continuously.” The decision of whether to opt into the “Find My” service comes down to the user, Hazelton said. They need to decide if the benefits of location service outweigh the risks of sharing their location.  “For services like Find My iPhone,” he added, “most users who have lost their device will likely say yes.”