Risk
4/27/2011
01:56 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Apple Explains iPhone Tracking, Promises Fix

iPhones track Wi-Fi hotspots and cell towers, not users, Apple said in answering critics, while also promising to fixing a bug that kept too much data.


Slideshow: Apple iPhone 4, A True Teardown
(click for larger image and for full slideshow)
Apple on Tuesday responded to the controversy surrounding its handling of location data on the iPhone and denied tracking iPhone users' whereabouts. The company attributed the volume of stored location data to a software bug, and committed to encrypting the data on iPhones while eliminating it from backups in a forthcoming software update.

Apple's explanation arrives following a letter of inquiry sent on Monday by the House Energy and Commerce Committee to Apple CEO Steve Jobs. The letter seeks an explanation of Apple's location data policies in light of press reports about the presence of location data on iPhones. While the initial report last week about the discovery of location data on iPhones was subsequently revealed to be old news in the forensics community, the issue has continued to fester in the absence of a clear and comprehensive response from Apple. A lawsuit accusing Apple of violating privacy and computer fraud laws through its location data practices was filed in Florida last week.

Apple accepts some blame for situation, stating in a note posted on its website on Wednesday that "the creators of this new technology (including Apple) have not provided enough education about these issues to date."

Disavowing any interest in tracking the locations of iPhones, Apple described its data gathering as an attempt to build a crowd-sourced database of Wi-Fi hotspots and cell towers to hasten location calculations, which are useful in apps that utilize location services and in core phone functions.

"Calculating a phone's location using just GPS satellite data can take up to several minutes," Apple explained. "iPhone can reduce this time to just a few seconds by using Wi-Fi hotspot and cell tower data to quickly find GPS satellites, and even triangulate its location using just Wi-Fi hotspot and cell tower data when GPS is not available (such as indoors or in basements)."

Although the location data stored on iPhones corresponds to hotspots and cell towers (some of which may be as many as 100 miles away from the iPhone user), rather than the geographic locations of iPhone users, many location records may still be closely aligned with the user's actual location at the time the data is recorded.

Apple said that when this data is transmitted to the company it is encrypted and anonymous. However, it acknowledged while the cache of hotspot and location data it is not encrypted, but instead is protected through obscurity, which is regarded in the security industry as a dubious security strategy. Nor is the iTunes backup of the cache encrypted, unless specified to be so by the user.

To remedy the situation, Apple has promised to release an iOS update in a few weeks that reduces the crowd-sourced database so that it stores seven days of data instead of a year's worth, stops backing up the database cache in iTunes, and deletes the cache when the Location Services option is disabled. In addition, the hotspot and cell tower database that resides on iPhones will be encrypted in the next major iOS release, which is likely to be several months from now.

Apple also said that it is collecting anonymous crowd-sourced traffic data in order to offer an improved traffic service to iPhone users in the coming years. Presently, iPhone users have access to Google-provided traffic data through the Maps application that comes pre-installed on every iPhone.

Since Apple and Google began viewing each other as competitors in August 2009, when then Google CEO Eric Schmidt resigned from Apple's board of directors, it has been widely assumed that Apple will eventually seek to revise or replace its software and services that depend on Google. Apple's acquisition of mapping companies Placebase and Poly9 have only strengthened such speculation.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-2086
Published: 2015-02-26
Cross-site scripting (XSS) vulnerability in the live preview in the Panopoly Magic module before 7.x-1.17 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a pane title.

CVE-2015-2087
Published: 2015-02-26
Unrestricted file upload vulnerability in the Avatar Uploader module before 6.x-1.3 for Drupal allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via unspecified vectors.

CVE-2015-2088
Published: 2015-02-26
Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Term Queue module before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

CVE-2015-2089
Published: 2015-02-26
Multiple cross-site request forgery (CSRF) vulnerabilities in the CrossSlide jQuery (crossslide-jquery-plugin-for-wordpress) plugin 2.0.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings or conduct cross-site scripting (...

CVE-2015-2090
Published: 2015-02-26
SQL injection vulnerability in the ajax_survey function in settings.php in the WordPress Survey and Poll plugin 1.1.7 for Wordpress allows remote attackers to execute arbitrary SQL commands via the survey_id parameter in an ajax_survey action to wp-admin/admin-ajax.php.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.