Feeds

No, iPhone location tracking isn't harmless and here's why

Secret Apple database already being tapped by cops

  • alert
  • submit to reddit

Security for virtualized datacentres

Analysis It didn't take long for the blogosphere to pooh pooh research presented on Wednesday that detailed a file in Apple iPhones and iPads unknown to the vast majority of its users that stored a long list of their time-stamped locations, sometimes with alarming detail.

On Thursday, a forensics expert who sells software to law enforcement agencies gave a first-hand account why scrutiny of the location-tracking database is crucial. We'll get to that in a moment. But first, let's take a sampling of the rampant naysaying.

The most common criticism was that the contents of the SQLite file, which is stored on the phone and on any computer backups, were wildly imprecise. Blogger and web developer Will Clarke, for instance, used the researchers' freely available software to map the coordinates gathered by his own iPhone during a recent round-trip bike tour he took from Philadelphia to New Jersey. When he compared the results to the actual route, he found that “almost all the points were way off.”

In an interview with The Reg, he said some of the points on the resulting map were as much as 3,000 meters, or almost two miles, away from his true location.

“The data that is exposed basically reveals which city you were in at a given time,” he concluded in a post that called the research “sensational.” “Nothing more specific than that. It can't tell what house you live in, it can't tell what route you jog on, nothing like that.”

He went on to conclude: “Apple is not storing the device's location, it's storing the location of the towers that the device is communicating with.”

Software analyst David “Lefty” Schlesinger found similar inaccuracies when he used the database contents of his iPhone to plot a train ride he took in July from Amsterdam to Den Haag, about 60 kilometers away. He also found that the iPhone file showed he was in Santa Cruz, California, on Christmas Day and traveled as much as 80 miles, when in fact he stayed in the state's Central Valley, some 130 miles away, the entire day.

Like several other bloggers, he also noted huge inconsistencies in the time intervals that locations were logged. Sometimes iPhones and iPads went days without updating the database, and on one occasion went almost two weeks.

The critics make a valid point that the data stored in the consolidated.db file hardly contains a historical record of a user's real-time comings and goings, or a user's every move, as incorrectly suggested in initial coverage from The Register and many other news sites. Researchers Pete Warden and Alasdair Allan readily acknowledge that they have yet to figure out what triggers iDevices to log location details, but it's not unusual for hours or even weeks to occasionally pass between entries.

They said they have noted one or two grossly inaccurate locations logged in the database. One region that seems to regularly pop up in files stored on multiple phones is an area just outside of Las Vegas. Allan said the database extracted from his iPhone and the iPhones of several people he knows logged that Nevada city even though none of the owners were anywhere near it on the date indicated in the corresponding timestamp.

Las Vegas also incorrectly showed up on the iPhones of Clarke and a co-worker of his, suggesting the iOS code that logs locations may be buggy.

“We both have the exact same data point in Vegas, and neither of us have been,” he said.

Warden and Allan said their reverse engineering exercise made it impossible to learn the precise way the logging works, but they insist the conclusion of their research is still correct: The contents of the consolidated.db file stored on every iDevice and on any computer containing a backup of its data contains a “scary amount of detail on our movements.”

“By inspecting it, I can tell what part of downtown San Francisco I'm in, I can see that I'm in a particular neighborhood,” Warden said.

Added Allan: “It's a bit above block level, but it can certainly tell that I'm in north east Manhattan, or south east Manhattan.”

They said the precise latitude and longitude plotted on a map is accurate to about 500 meters in areas where there are many cellphone nodes and as much as 4 kilometers with fewer nodes.

“It really does seem to be dependent on how good your cell coverage is,” Allan said. “If you're in a big city like downtown San Francisco, the positioning is going to be much better. If you're in the middle of London, the positioning is going to be much better. If you're in a rural or semi-rural area, your positions are going to be much rougher.”

They also refuted Clarke's assertion that the latitude and longitude coordinates logged in the database referred to the position of cell towers rather than the Apple devices themselves. Some of the extracted databases they examined plotted literally thousands of unique coordinates in a small part of a single city. It's almost impossible that there could be that many corresponding nodes in such a confined area, they said.

What's more, the geographic locations of cell towers is usually kept secret by the carriers who own them, and there's no clear way an iPhone would be able to detect its longitude and latitude anyway.

“Our current stance is that this is the position of the device,” Allan said. “There has to be now or very soon a big public debate about location data and privacy. This (research) might be something that helps kick that debate off.”

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.