News: iPhone Knows Where You’ve Been
A report has come out stating that since iOS 4 was released, potentially every iOS device has been keeping tabs on its location. Right now, iPhones and the iPad 3G models are getting the finger-pointing, and it seems to be done through triangulation, rather than the GPS chip. The data is then stored in a file that lives on both your phone and computer.
So, what does this mean? Well, for starters, it means that there is an unencrypted file stores on your computer that lists various time stamps and locations for the past 10 months or so. From O’Reilly Radar:
“What makes this issue worse is that the file is unencrypted and unprotected, and it’s on any machine you’ve synched with your iOS device. It can also be easily accessed on the device itself if it falls into the wrong hands. Anybody with access to this file knows where you’ve been over the last year, since iOS 4 was released.”
Scary? Yes. An immediate worry? No. Although Skynet was supposed to go online yesterday, don’t think the iPhones will be rising up anytime soon:
All iPhones appear to log your location to a file called “consolidated.db.” This contains latitude-longitude coordinates along with a timestamp. The coordinates aren’t always exact, but they are pretty detailed. There can be tens of thousands of data points in this file, and it appears the collection started with iOS 4, so there’s typically around a year’s worth of information at this point. Our best guess is that the location is determined by cell-tower triangulation, and the timing of the recording is erratic, with a widely varying frequency of updates that may be triggered by traveling between cells or activity on the phone itself.
Right now, the only folks that have access to the data must have access to the computer that the iOS device is backed up to. This data has always existed (mobile phone providers have it, but usually require a court order to display it). If you want to look at it, there’s a desktop application:
We have built an application that helps you look at your own data. It’s available at petewarden.github.com/iPhoneTracker along with the source code and deeper technical information.
Right now, it’s probably a good idea to make sure your backups are encrypted and if you don’t have an iOS device, maybe make yourself familiar where your phone might store location data (many do log this).
In a piece on Wired, some of the other implications are explained:
The location data stored inside “consolidated.db” cannot be accessed by Safari or any apps, said Charlie Miller, a security researcher known for discovering vulnerabilities in the iPhone. However, the data file is sensitive because a thief who gains physical access to an iPhone or iPad could look at the file and see everywhere a customer has been, or a hacker could remotely break in and read the file, Miller said.
Sharon Nissim, consumer privacy counsel of the Electronic Privacy Information Center, said it is possible Apple is violating the Wireless Communications and Public Safety Act, which allows telecom carriers to provide call information only in emergency situations.
“By asking for permission to collect location data, Apple may be trying to get around its legal obligations, by asking people to give up privacy rights they don’t even know they have,” Nissim said.
She added that a potential privacy concern is that law enforcement would be able to subpoena these types of records from people’s iPhones or iPads.