serious security issue with background app refresh (i5 - ios9.2)

No, we do understand what you are saying. However, you do not seem to fully grasp the functionality and its intent, and inexplicably seem to be incapable of getting past your own preconceived and erroneous assumptions.

"Background App Refresh" does not work the way you think, or wish, it does. Nor is it a "security issue". If you do not wish WhatsApp to do what it is designed to do, or do not like the way it functions, delete it. If you do not like the way Background Refresh works, off Apple feedback here. There is nothing more anyone on this forum can do for you since we prefer to stick to reality rather than telling you what you want to hear.

As much as we've been enjoying the ranting back and forth, even if we agreed that the problem is a security issue (which I along with the others do not, but the app performing as designed), changing it is beyond the capability of anyone on this forum. This is a user-to-user forum. Contact Apple about the issue by providing feedback at http://www.apple.com/feedback

vin12 wrote:

Just found out that my iphone 5 (ios 9.2) does not listen to background app refresh settings at phone level or individual app level.

In my case, "Whatsapp" application is able to bypass this setting (which is set to restrict at phone level or app level) but it is still able to download messages as long as the phone is attached to wifi

Please note: this is not a bug of whats app - it is a bug in with ios 9.2 - which I can confirm with my phone and tested.

I really hope apple engineers are aware of this and putting a fix through as early as possible.

Another downside of this is, it drains batter at least 30-40% more in a day!

Background App Refresh refers to the ability of an app to start background processes. However, apps can still respond to push notifications and process them, even if background app refresh is off. It isn't a bug at all; it is the way it is designed to work, and has always worked for 7 years.

It doesn't matter. Responding to push notifications is not background processing. It's always been a part of iOS for apps to take action on push notifications. An example of background processing is the Stocks app periodically updating stock prices when you are not using the app. And example of Push notifications is the mail app being notified that a new email has arrived and downloading it. If you don't want apps to process push notifications look for a setting in the app itself or in Settings/<app name>. If there isn't one then there is no way to turn if off. If you don't like the way the app works delete the app.

I also don't see why you consider accepting push notifications a security issue.

vin12 wrote:

IT is a "security issue" when a user does not want an application to access internet without your his/her permission.

How is it a security issue? How does it put your data at risk? Or put you in danger? I can see an argument for it possibly costing your more money if it uses your data more than you had intended. But, I don't consider that a security issue.

vin12 wrote:

If any 'content' is arriving on a device without the permission/consent of its user or owner - it is a security issue.

I'm not arguing, I'm trying to understand. Given that it's an app you installed on your phone, I'm still not sure I understand where the danger is. I'm politely asking for assistance understanding.

vin12 wrote:

Please understand the real issue.

The real issue is - there is an app that is bypassing the OS security features that are designed and built native to a device?

The real issue is: you do not seem to understand what "Background Refresh" and "Push/Pull" are. It is working as designed. It is NOT a bug or a security issue (and you still haven't explained why you think it is in spite of being asked several times).

What makes you think only data and app can causes security issues?

No where did Meg (or anyone else) make any sort of assertion. And certainly the functionality in question is not a "security issue".

vin12 wrote:

Do you need further press coverage to officially term it as a security issue?

Whether or not the behavior is as intended is not my question. My question is: how does this behavior represent a threat to your safety or the safety of your data? Until I understand the answer to that question, I can't say if I agree that it's a security issue. As it stands, I don't see any danger but I'm willing to be convinced otherwise by a cogent argument.

vin12 wrote:

No where did Meg (or anyone else) make any sort of assertion. And certainly the functionality in question is not a "security issue".

People does seem to have a problem understanding the issue (or may be my english?).

Maybe it is your English that none of us understand.

vin12 wrote:

Folks,

Forget Whatsapp & yours and mines definition of 'security' - just tell me something - I want an application to download data ONLY when I open it.

Is the above user requirement possible 'by design' in iOS 9.2?

If so - could anyone care to explain?

That would would depend on the specific app, and what it is designed to do. An such as WhatsApp or the built in Messages app has to maintain a connection via available means (WiFi or cellular) , otherwise it would have no way of receiving or knowing when you have a message (and would kind of defeat the purpose of the app). Other apps, a news service's app for example, would only connect when you open it if Background Refresh were turned off since it doesn't really need to reach out to anything except to pull in new articles. So the bottom line: some apps will do exactly what you are looking for when you turn off refresh. Others will not.