Feeds

Apple squashes location tracking 'bugs' with iOS update

Cell tower and Wi-Fi database cache shrunk

SANS - Survey on application security programs

Apple has released an iOS update that changes the way its mobile operating system treats the database cache at the heart of the recent kerfuffle over the Jobsian location services.

On Wednesday, Steve Jobs and company pushed out iOS 4.3.3, saying it contains three changes to the operating system's "crowd-sourced location database cache", also known as "consolidated.db". According to Apple, the update reduces the size of the cache (by an unspecified amount), ensures that the cache is no longer backed up to iTunes when you connect to a PC, and deletes the cache when iOS location services are turned off.

Apple uses customer iPhones to build a database of Wi-Fi networks and cell towers that mobile applications can use to pinpoint the location of a particular device. This data is used in tandem with GPS in order to improve the speed and accuracy of location services.

When determining a phone's location, Apple downloads a portion of this database to the device, and this is stored in consolidated.db. "A small localized cache on the device is very helpful for speed," says Ted Morgan, CEO of Skyhook, a company that offers similar location services. "Rather than having to keep going back to the server, you keep a small subset of the reference data locally so that while you are within a 10 block area it just uses the local file until you move farther away...[This is] for speed and for not having to rely on a flakey cellphone network connection."

Last month, independent researchers released a report reporting that the Apple file may contain data on cell tower and Wi-Fi networks related to places you've visited a year ago or more. This data, it soon emerged, has long been used by law enforcement to determine the past location of phone owners. After the report sparked a media firestorm, Apple posted an FAQ on its website that addressed the database cache.

Apple acknowledged that the database cache gets backed up to iTunes when iPhones are synced, that it may store as much as a year's worth of data, and that it remained on the phone even when location services were turned off. But it called all three "bugs", vowing to make changes with a future update to iOS. Apple said it needed to store only about seven days' worth of data.

According to tests by independent security researcher Samy Kamkar, the iPhone was also collecting new data on cell tower and Wi-Fi networks when location services were off, and sending this data back to its servers. It's unclear whether the update stops these collections as well. According to Skyhook's Morgan, the collection of the data and the downloading of the cache to the phone typically work hand-in-hand.

Apple has acknowledged that consolidated.db cache is not encrypted, and it does not appear this has changed with the new iOS update. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.