Risk
4/27/2011
01:56 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Apple Explains iPhone Tracking, Promises Fix

iPhones track Wi-Fi hotspots and cell towers, not users, Apple said in answering critics, while also promising to fixing a bug that kept too much data.


Slideshow: Apple iPhone 4, A True Teardown
(click for larger image and for full slideshow)
Apple on Tuesday responded to the controversy surrounding its handling of location data on the iPhone and denied tracking iPhone users' whereabouts. The company attributed the volume of stored location data to a software bug, and committed to encrypting the data on iPhones while eliminating it from backups in a forthcoming software update.

Apple's explanation arrives following a letter of inquiry sent on Monday by the House Energy and Commerce Committee to Apple CEO Steve Jobs. The letter seeks an explanation of Apple's location data policies in light of press reports about the presence of location data on iPhones. While the initial report last week about the discovery of location data on iPhones was subsequently revealed to be old news in the forensics community, the issue has continued to fester in the absence of a clear and comprehensive response from Apple. A lawsuit accusing Apple of violating privacy and computer fraud laws through its location data practices was filed in Florida last week.

Apple accepts some blame for situation, stating in a note posted on its website on Wednesday that "the creators of this new technology (including Apple) have not provided enough education about these issues to date."

Disavowing any interest in tracking the locations of iPhones, Apple described its data gathering as an attempt to build a crowd-sourced database of Wi-Fi hotspots and cell towers to hasten location calculations, which are useful in apps that utilize location services and in core phone functions.

"Calculating a phone's location using just GPS satellite data can take up to several minutes," Apple explained. "iPhone can reduce this time to just a few seconds by using Wi-Fi hotspot and cell tower data to quickly find GPS satellites, and even triangulate its location using just Wi-Fi hotspot and cell tower data when GPS is not available (such as indoors or in basements)."

Although the location data stored on iPhones corresponds to hotspots and cell towers (some of which may be as many as 100 miles away from the iPhone user), rather than the geographic locations of iPhone users, many location records may still be closely aligned with the user's actual location at the time the data is recorded.

Apple said that when this data is transmitted to the company it is encrypted and anonymous. However, it acknowledged while the cache of hotspot and location data it is not encrypted, but instead is protected through obscurity, which is regarded in the security industry as a dubious security strategy. Nor is the iTunes backup of the cache encrypted, unless specified to be so by the user.

To remedy the situation, Apple has promised to release an iOS update in a few weeks that reduces the crowd-sourced database so that it stores seven days of data instead of a year's worth, stops backing up the database cache in iTunes, and deletes the cache when the Location Services option is disabled. In addition, the hotspot and cell tower database that resides on iPhones will be encrypted in the next major iOS release, which is likely to be several months from now.

Apple also said that it is collecting anonymous crowd-sourced traffic data in order to offer an improved traffic service to iPhone users in the coming years. Presently, iPhone users have access to Google-provided traffic data through the Maps application that comes pre-installed on every iPhone.

Since Apple and Google began viewing each other as competitors in August 2009, when then Google CEO Eric Schmidt resigned from Apple's board of directors, it has been widely assumed that Apple will eventually seek to revise or replace its software and services that depend on Google. Apple's acquisition of mapping companies Placebase and Poly9 have only strengthened such speculation.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, you were supposed to display UNICODE characters!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.