Skip to content

[Security] Location service continues watching position after permission is revoked at OS level #591

Description

@RUKAYAT-CODER

Overview

src/services/locationService.ts starts a position watcher via Location.watchPositionAsync but does not listen for permission change events. On iOS 14+ and Android, users can revoke location permission from Settings without restarting the app. The existing watcher continues running (silently failing or returning stale data) without cleaning up, and locationStore state may serve stale coordinates to components.

Specifications

Features:

  • Subscribe to Location.getPermissionsAsync polling or AppState change to detect revoke
  • On permission revoke detected: stop watcher, clear locationStore coordinates, set permissionGranted: false
  • Log permission revoke event to appLogger

Tasks:

  • In locationService.ts, add AppState 'active' listener that re-checks permission
  • If permission changed from granted to denied, call subscription.remove() on the watcher
  • Dispatch clearLocation() to locationStore
  • Add unit test mocking permission revoke mid-session

Impacted Files:

  • src/services/locationService.ts
  • src/store/slices/deviceStore.ts or location store

Acceptance Criteria

  • Position watcher stops within 5 seconds of permission being revoked
  • locationStore coordinates are cleared on revoke
  • No stale location data served after revoke
  • Unit test confirms watcher removal on permission change

Metadata

Metadata

Labels

Stellar WaveIssues in the Stellar wave programbugSomething isn't workingsecuritySecurity vulnerability or concern

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions