Feeds

No, iPhone location tracking isn't harmless and here's why

Secret Apple database already being tapped by cops

  • alert
  • submit to reddit

Website security in corporate America

Analysis It didn't take long for the blogosphere to pooh pooh research presented on Wednesday that detailed a file in Apple iPhones and iPads unknown to the vast majority of its users that stored a long list of their time-stamped locations, sometimes with alarming detail.

On Thursday, a forensics expert who sells software to law enforcement agencies gave a first-hand account why scrutiny of the location-tracking database is crucial. We'll get to that in a moment. But first, let's take a sampling of the rampant naysaying.

The most common criticism was that the contents of the SQLite file, which is stored on the phone and on any computer backups, were wildly imprecise. Blogger and web developer Will Clarke, for instance, used the researchers' freely available software to map the coordinates gathered by his own iPhone during a recent round-trip bike tour he took from Philadelphia to New Jersey. When he compared the results to the actual route, he found that “almost all the points were way off.”

In an interview with The Reg, he said some of the points on the resulting map were as much as 3,000 meters, or almost two miles, away from his true location.

“The data that is exposed basically reveals which city you were in at a given time,” he concluded in a post that called the research “sensational.” “Nothing more specific than that. It can't tell what house you live in, it can't tell what route you jog on, nothing like that.”

He went on to conclude: “Apple is not storing the device's location, it's storing the location of the towers that the device is communicating with.”

Software analyst David “Lefty” Schlesinger found similar inaccuracies when he used the database contents of his iPhone to plot a train ride he took in July from Amsterdam to Den Haag, about 60 kilometers away. He also found that the iPhone file showed he was in Santa Cruz, California, on Christmas Day and traveled as much as 80 miles, when in fact he stayed in the state's Central Valley, some 130 miles away, the entire day.

Like several other bloggers, he also noted huge inconsistencies in the time intervals that locations were logged. Sometimes iPhones and iPads went days without updating the database, and on one occasion went almost two weeks.

The critics make a valid point that the data stored in the consolidated.db file hardly contains a historical record of a user's real-time comings and goings, or a user's every move, as incorrectly suggested in initial coverage from The Register and many other news sites. Researchers Pete Warden and Alasdair Allan readily acknowledge that they have yet to figure out what triggers iDevices to log location details, but it's not unusual for hours or even weeks to occasionally pass between entries.

They said they have noted one or two grossly inaccurate locations logged in the database. One region that seems to regularly pop up in files stored on multiple phones is an area just outside of Las Vegas. Allan said the database extracted from his iPhone and the iPhones of several people he knows logged that Nevada city even though none of the owners were anywhere near it on the date indicated in the corresponding timestamp.

Las Vegas also incorrectly showed up on the iPhones of Clarke and a co-worker of his, suggesting the iOS code that logs locations may be buggy.

“We both have the exact same data point in Vegas, and neither of us have been,” he said.

Warden and Allan said their reverse engineering exercise made it impossible to learn the precise way the logging works, but they insist the conclusion of their research is still correct: The contents of the consolidated.db file stored on every iDevice and on any computer containing a backup of its data contains a “scary amount of detail on our movements.”

“By inspecting it, I can tell what part of downtown San Francisco I'm in, I can see that I'm in a particular neighborhood,” Warden said.

Added Allan: “It's a bit above block level, but it can certainly tell that I'm in north east Manhattan, or south east Manhattan.”

They said the precise latitude and longitude plotted on a map is accurate to about 500 meters in areas where there are many cellphone nodes and as much as 4 kilometers with fewer nodes.

“It really does seem to be dependent on how good your cell coverage is,” Allan said. “If you're in a big city like downtown San Francisco, the positioning is going to be much better. If you're in the middle of London, the positioning is going to be much better. If you're in a rural or semi-rural area, your positions are going to be much rougher.”

They also refuted Clarke's assertion that the latitude and longitude coordinates logged in the database referred to the position of cell towers rather than the Apple devices themselves. Some of the extracted databases they examined plotted literally thousands of unique coordinates in a small part of a single city. It's almost impossible that there could be that many corresponding nodes in such a confined area, they said.

What's more, the geographic locations of cell towers is usually kept secret by the carriers who own them, and there's no clear way an iPhone would be able to detect its longitude and latitude anyway.

“Our current stance is that this is the position of the device,” Allan said. “There has to be now or very soon a big public debate about location data and privacy. This (research) might be something that helps kick that debate off.”

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.