{"id":8809,"date":"2025-10-09T12:00:00","date_gmt":"2025-10-09T09:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/?p=8809"},"modified":"2026-06-14T19:51:18","modified_gmt":"2026-06-14T16:51:18","slug":"how-uber-seems-to-know-where-you-are-even-with-restricted-location-permissions","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2025\/10\/09\/how-uber-seems-to-know-where-you-are-even-with-restricted-location-permissions\/","title":{"rendered":"How Uber seems to know where you are \u2013 even with restricted location permissions"},"content":{"rendered":"<p>When you land at an airport, you may be greeted with a notification on your phone that reads:<\/p>\n<div>\n<blockquote>\n<p>\u201cWelcome to <em>[your location]<\/em> \u2013 Open the app to get directions to the Uber pick-up point.\u201d<\/p>\n<\/blockquote>\n<\/div>\n<p>For privacy-conscious users who only allow apps to access their location while the app is in use, this can feel unsettling. How could Uber know where you are if you restricted the app to access your location only while in use?<\/p>\n<p><img decoding=\"async\" alt=\"Figure 1. Uber notification iOS\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/10-25\/figure-1-1-2.png\" title=\"\" width=\"\"><\/p>\n<p>After seeing the message several times, I finally checked Uber\u2019s permissions, certain it was set to only \u201c<em>while using the app<\/em>\u201d on both my personal and business phone. And indeed, Uber\u2019s location access was set exactly as intended: \u201c<em>while using the app<\/em>\u201d.<\/p>\n<p>And yet, both devices displayed the same notification whenever I landed, and getting this permission wrong on two devices seemed highly unlikely. (As an aside, why there are other options beyond this one is baffling. Why do any car service or food apps need to know your location when you are not actively using them \u2013 other than to track you for commercial reasons?)<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 2. iOS location settings\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/10-25\/figure-2-1.png\" title=\"\" width=\"\"><\/figure>\n<p>The only other reason for what some might view as a privacy infringement could be a feature called \u201c<a href=\"https:\/\/discussions.apple.com\/thread\/254963561?sortBy=rank\">Background App Refresh<\/a>\u201d, which allows an app to run and update its content even when you\u2019re not using it. On the other hand, this would be against the principle of limiting location access to only while the app is in use, and it seems implausible that any app, especially on iOS, would be allowed to bypass such a fundamental privacy control.<\/p>\n<p>So, how does Uber (and perhaps other apps) know where you\u2019ve just landed?<\/p>\n<p>The answer lies in a feature called \u201c<a href=\"https:\/\/developer.apple.com\/documentation\/usernotifications\/unlocationnotificationtrigger\">UNLocationNotificationTrigger<\/a>\u201d that Apple provides to developers. This feature allows an app to fire a pre-configured notification when the device enters or exits a specified geographic region, such as an airport. That way, it effectively circumvents the intent behind the \u201c<em>while using the app<\/em>\u201d setting.<\/p>\n<p>So, to answer the question above directly: no, Uber or other apps don\u2019t know your location when you land. The notification is generated locally on your phone when it detects that you\u2019ve entered the pre-defined airport\u2019s geofenced area.<\/p>\n<p>On the other hand, the notification\u2019s wording is misleading: it makes it feel like Uber is actively tracking you and is offering guidance. In reality, it\u2019s only when you tap the notification and open the app that your device shares your location with the app.<\/p>\n<p>There are legitimate reasons for geofencing, of course. For example, a family safety app may notify parents when their child\u2019s device enters or exits a designated safe zone such as a school or home. Or to use another example, a smart-home app could remind you to switch off the lights when you leave the house.<\/p>\n<p>However, using the same mechanism for what can only be seen as advertising is, in my opinion, an overreach. In this instance, Uber is advertising its services as soon as I am within the boundaries of the airport. Imagine walking through a high street and having every retailer\u2019s app ping you to come inside, basically ignoring your decision to share your location only when you\u2019re using their app.<\/p>\n<p>It would seem sensible for Apple to tighten the rules around location-triggered notifications and restrict them to non-advertising purposes. This would ensure that the notifications are limited to functionality that serves the user and is not used for monetization purposes.<\/p>\n<p class=\"wls-source\"><a href=\"https:\/\/www.welivesecurity.com\/en\/privacy\/how-uber-seems-know-where-you-are-restricted-location-permissions\/\" rel=\"nofollow noopener\" target=\"_blank\">Read the full analysis on WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Is the ride-hailing app secretly tracking you? Not really, but this iOS feature may make it feel that way.<\/p>\n","protected":false},"author":5,"featured_media":8810,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[167],"tags":[],"class_list":["post-8809","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-privacy"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8809","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=8809"}],"version-history":[{"count":1,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8809\/revisions"}],"predecessor-version":[{"id":9511,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8809\/revisions\/9511"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/8810"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=8809"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=8809"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=8809"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}