Researchers raise privacy concerns over location tracking in Apple's iOS 4
Security researchers have discovered that Apple's iOS 4 mobile operating system, found on both the iPhone and iPad, keeps a log of user's locations and saves the data to a hidden file on the device.
Peter Warden and Alasdair Allan revealed their findings on Wednesday, in which they discovered that both the iPhone and 3G iPad are "regularly recording the position" of the device and saving them in a hidden file. The data is restored through iTunes with backups, and even across device migrations.
The researchers have concluded that Apple's collection of the data is "intentional," and contacted the company's product security team in an effort to find out the company's reasoning. They did not receive a response.
"What makes this issue worse is that the file is unencrypted and unprotected, and it's on any machine you've synched with your iOS device," Allan wrote. "It can also be easily accessed on the device itself if it falls into the wrong hands. Anybody with access to this file knows where you've been over the last year, since iOS 4 was released."
Location data is stored to a file called "consolidated.db," which includes latitude and longitude coordinates and a timestamp. The researchers said that while the coordinates are not "always exact," they are "Pretty detailed."
"There can be tens of thousands of data points in this file, and it appears the collection started with iOS 4, so there's typically about a year's worth of information at this point," Allan wrote. "Our best guess is that the location is determined by cell-tower triangulation, and the timing of the recording is erratic, with a widely varying frequency of updates that may be triggered by traveling between cells or activity on the phone itself."
The researchers have also made it clear there is no evidence to suggest that the data is being sent to anyone. They have provided a public tool that allows users to look at their own stored location data.
For now, users can encrypt their backups through iTunes. This can be accomplished by connecting an iPhone or 3G iPad to a Mac or PC, clicking on the device within iTunes, and then checking the "Encrypt iPhone Backup" setting in the "Options" area.
Peter Warden and Alasdair Allan revealed their findings on Wednesday, in which they discovered that both the iPhone and 3G iPad are "regularly recording the position" of the device and saving them in a hidden file. The data is restored through iTunes with backups, and even across device migrations.
The researchers have concluded that Apple's collection of the data is "intentional," and contacted the company's product security team in an effort to find out the company's reasoning. They did not receive a response.
"What makes this issue worse is that the file is unencrypted and unprotected, and it's on any machine you've synched with your iOS device," Allan wrote. "It can also be easily accessed on the device itself if it falls into the wrong hands. Anybody with access to this file knows where you've been over the last year, since iOS 4 was released."
Location data is stored to a file called "consolidated.db," which includes latitude and longitude coordinates and a timestamp. The researchers said that while the coordinates are not "always exact," they are "Pretty detailed."
"There can be tens of thousands of data points in this file, and it appears the collection started with iOS 4, so there's typically about a year's worth of information at this point," Allan wrote. "Our best guess is that the location is determined by cell-tower triangulation, and the timing of the recording is erratic, with a widely varying frequency of updates that may be triggered by traveling between cells or activity on the phone itself."
The researchers have also made it clear there is no evidence to suggest that the data is being sent to anyone. They have provided a public tool that allows users to look at their own stored location data.
For now, users can encrypt their backups through iTunes. This can be accomplished by connecting an iPhone or 3G iPad to a Mac or PC, clicking on the device within iTunes, and then checking the "Encrypt iPhone Backup" setting in the "Options" area.
Comments
Security researchers have discovered that Apple's iOS 4 mobile operating system, found on both the iPhone and iPad, keeps a log of user's locations and saves the data to a hidden file on the device. ...
Cue the Android hate-fest/shit-storm in 3, 2, 1 ...
I can see why some people might not like this but it doesn't bother me. In fact it could be rather handy if one ever found themselves unjustly accused of a crime they didn't commit. Where were you on the night of the 22nd? I can't remember...let me consult my iPhone. Of course it would be rather trivial to hack the file in the case you were actually guilty. But whatever...
objection, circumstantial. the defendant could have left her phone at home while she was at the crime scene the night in question.
turning off location based services should turn off location based services, but this data comes from cell tower triangulation no matter what privacy you think you've set.
... turning off location based services should turn off location based services, but this data comes from cell tower triangulation no matter what privacy you think you've set.
There is no evidence yet that I'm aware of that this file is saved if you have turned off location services.
I see no evidence so far that this file contradicts *any* privacy settings you have on the device.
turning off location based services should turn off location based services, but this data comes from cell tower triangulation no matter what privacy you think you've set.
I had no issue with it but after DLing the app and having it automatically find the consolidated.db file in my iPhone backup and present a map timeline of my whereabout I found it a bit unsettling.
The app is rudimentary. I?d like to see one where I have little dotted lines like Billy in Family Circus.
It's a new MobileMe service called: Find My girlFriend!
All you need is access to the access someone syncs their iPhone to iTunes and you know where they were. Of course, if you have access to their account they likely too worried about security.
Awesome! No more complaining from iFans about Privacy flaws in Android. It is unbelievable that Apple is doing such a thing intentionally.
Because you honestly believe Google isn't doing the same thing? And then pulling that data from your phone? And then selling that information to the highest bidder in return for "personalized" ads?
The iPhone may be storing this data, but it is stored locally, and not seen by anybody or anything but the /private folder it was meant to stay in.
edit: And let's not forget that anybody with your phone number and access to Google Maps can figure out where you live, where you work, where your family lives, where they work... and so on. Let's not suddenly become naive and believe privacy is anything more than a politically correct term.
Awesome! No more complaining from iFans about Privacy flaws in Android. It is unbelievable that Apple is doing such a thing intentionally.
I bet you can't point out the "privacy flaw" that this indicates iOS has, without resorting to a heck of a lot of supposin'.
There is no evidence yet that I'm aware of that this file is saved if you have turned off location services.
I see no evidence so far that this file contradicts *any* privacy settings you have on the device.
This.
I found all of this interesting, but not the least-bit alarming. How my "privacy" has been invaded because my iPhone records very vaguely where I've been, is beyond my comprehension. Once again paranoia is its own reward.
Awesome! No more complaining from iFans about Privacy flaws in Android. It is unbelievable that Apple is doing such a thing intentionally.
Let us just review the facts for a minute:
- Zero indication that this information is being sent anywhere including to Apple.
- Getting this file would require access to your phone or a computer that you have sync'd to.
- The gathering of this information has already been disclosed by Apple.
Now maybe apple could have encrypted this file, but once again it isn't being transmitted.If you are worried about your computer that you are sync'd to then encrypt your backup. It is an option in iTunes.
Let us just review the facts for a minute:
- Zero indication that this information is being sent anywhere including to Apple.
- Getting this file would require access to your phone or a computer that you have sync'd to.
- The gathering of this information has already been disclosed by Apple.
Now maybe apple could have encrypted this file, but once again it isn't being transmitted.If you are worried about your computer that you are sync'd to then encrypt your backup. It is an option in iTunes.
Excellent points.
This is old news from 2010... Too bad the people that "found" this file couldn't find a link to Google to find this information had already been disclosed by Apple.
Yep or the fact that it only records that information when you allow location use. If you turn off location services it records nothing.
It requires access to your phone. Or the machine you sync to. Doubtful that is going to happen to to many folks.
And every smart phone likely does this kind of recording.
The results are none-to accurate. I'm reported to have been in places where I've never actually been, with the iPhone at least. Many miles away in fact. Presumably the iPhone snagged a cell tower far away from my exact location.
I found all of this interesting, but not the least-bit alarming. How my "privacy" has been invaded because my iPhone records very vaguely where I've been, is beyond my comprehension. Once again paranoia is its own reward.
did you read anything about the app you were using? the app intentionally will not show data as accurately as it is being collected in an unencrypted file on your phone.
"One note, if you zoom in on the map, you'll see the points falling into a grid pattern -- the researchers added this as a deliberate limitation in their program. The underlying data is more accurate than the tool shows, to prevent their demo app itself being used for malicious purposes."