Feeds

No, iPhone location tracking isn't harmless and here's why

Secret Apple database already being tapped by cops

  • alert
  • submit to reddit

SANS - Survey on application security programs

Analysis It didn't take long for the blogosphere to pooh pooh research presented on Wednesday that detailed a file in Apple iPhones and iPads unknown to the vast majority of its users that stored a long list of their time-stamped locations, sometimes with alarming detail.

On Thursday, a forensics expert who sells software to law enforcement agencies gave a first-hand account why scrutiny of the location-tracking database is crucial. We'll get to that in a moment. But first, let's take a sampling of the rampant naysaying.

The most common criticism was that the contents of the SQLite file, which is stored on the phone and on any computer backups, were wildly imprecise. Blogger and web developer Will Clarke, for instance, used the researchers' freely available software to map the coordinates gathered by his own iPhone during a recent round-trip bike tour he took from Philadelphia to New Jersey. When he compared the results to the actual route, he found that “almost all the points were way off.”

In an interview with The Reg, he said some of the points on the resulting map were as much as 3,000 meters, or almost two miles, away from his true location.

“The data that is exposed basically reveals which city you were in at a given time,” he concluded in a post that called the research “sensational.” “Nothing more specific than that. It can't tell what house you live in, it can't tell what route you jog on, nothing like that.”

He went on to conclude: “Apple is not storing the device's location, it's storing the location of the towers that the device is communicating with.”

Software analyst David “Lefty” Schlesinger found similar inaccuracies when he used the database contents of his iPhone to plot a train ride he took in July from Amsterdam to Den Haag, about 60 kilometers away. He also found that the iPhone file showed he was in Santa Cruz, California, on Christmas Day and traveled as much as 80 miles, when in fact he stayed in the state's Central Valley, some 130 miles away, the entire day.

Like several other bloggers, he also noted huge inconsistencies in the time intervals that locations were logged. Sometimes iPhones and iPads went days without updating the database, and on one occasion went almost two weeks.

The critics make a valid point that the data stored in the consolidated.db file hardly contains a historical record of a user's real-time comings and goings, or a user's every move, as incorrectly suggested in initial coverage from The Register and many other news sites. Researchers Pete Warden and Alasdair Allan readily acknowledge that they have yet to figure out what triggers iDevices to log location details, but it's not unusual for hours or even weeks to occasionally pass between entries.

They said they have noted one or two grossly inaccurate locations logged in the database. One region that seems to regularly pop up in files stored on multiple phones is an area just outside of Las Vegas. Allan said the database extracted from his iPhone and the iPhones of several people he knows logged that Nevada city even though none of the owners were anywhere near it on the date indicated in the corresponding timestamp.

Las Vegas also incorrectly showed up on the iPhones of Clarke and a co-worker of his, suggesting the iOS code that logs locations may be buggy.

“We both have the exact same data point in Vegas, and neither of us have been,” he said.

Warden and Allan said their reverse engineering exercise made it impossible to learn the precise way the logging works, but they insist the conclusion of their research is still correct: The contents of the consolidated.db file stored on every iDevice and on any computer containing a backup of its data contains a “scary amount of detail on our movements.”

“By inspecting it, I can tell what part of downtown San Francisco I'm in, I can see that I'm in a particular neighborhood,” Warden said.

Added Allan: “It's a bit above block level, but it can certainly tell that I'm in north east Manhattan, or south east Manhattan.”

They said the precise latitude and longitude plotted on a map is accurate to about 500 meters in areas where there are many cellphone nodes and as much as 4 kilometers with fewer nodes.

“It really does seem to be dependent on how good your cell coverage is,” Allan said. “If you're in a big city like downtown San Francisco, the positioning is going to be much better. If you're in the middle of London, the positioning is going to be much better. If you're in a rural or semi-rural area, your positions are going to be much rougher.”

They also refuted Clarke's assertion that the latitude and longitude coordinates logged in the database referred to the position of cell towers rather than the Apple devices themselves. Some of the extracted databases they examined plotted literally thousands of unique coordinates in a small part of a single city. It's almost impossible that there could be that many corresponding nodes in such a confined area, they said.

What's more, the geographic locations of cell towers is usually kept secret by the carriers who own them, and there's no clear way an iPhone would be able to detect its longitude and latitude anyway.

“Our current stance is that this is the position of the device,” Allan said. “There has to be now or very soon a big public debate about location data and privacy. This (research) might be something that helps kick that debate off.”

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.