Risk
4/27/2011
01:56 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Apple Explains iPhone Tracking, Promises Fix

iPhones track Wi-Fi hotspots and cell towers, not users, Apple said in answering critics, while also promising to fixing a bug that kept too much data.


Slideshow: Apple iPhone 4, A True Teardown
(click for larger image and for full slideshow)
Apple on Tuesday responded to the controversy surrounding its handling of location data on the iPhone and denied tracking iPhone users' whereabouts. The company attributed the volume of stored location data to a software bug, and committed to encrypting the data on iPhones while eliminating it from backups in a forthcoming software update.

Apple's explanation arrives following a letter of inquiry sent on Monday by the House Energy and Commerce Committee to Apple CEO Steve Jobs. The letter seeks an explanation of Apple's location data policies in light of press reports about the presence of location data on iPhones. While the initial report last week about the discovery of location data on iPhones was subsequently revealed to be old news in the forensics community, the issue has continued to fester in the absence of a clear and comprehensive response from Apple. A lawsuit accusing Apple of violating privacy and computer fraud laws through its location data practices was filed in Florida last week.

Apple accepts some blame for situation, stating in a note posted on its website on Wednesday that "the creators of this new technology (including Apple) have not provided enough education about these issues to date."

Disavowing any interest in tracking the locations of iPhones, Apple described its data gathering as an attempt to build a crowd-sourced database of Wi-Fi hotspots and cell towers to hasten location calculations, which are useful in apps that utilize location services and in core phone functions.

"Calculating a phone's location using just GPS satellite data can take up to several minutes," Apple explained. "iPhone can reduce this time to just a few seconds by using Wi-Fi hotspot and cell tower data to quickly find GPS satellites, and even triangulate its location using just Wi-Fi hotspot and cell tower data when GPS is not available (such as indoors or in basements)."

Although the location data stored on iPhones corresponds to hotspots and cell towers (some of which may be as many as 100 miles away from the iPhone user), rather than the geographic locations of iPhone users, many location records may still be closely aligned with the user's actual location at the time the data is recorded.

Apple said that when this data is transmitted to the company it is encrypted and anonymous. However, it acknowledged while the cache of hotspot and location data it is not encrypted, but instead is protected through obscurity, which is regarded in the security industry as a dubious security strategy. Nor is the iTunes backup of the cache encrypted, unless specified to be so by the user.

To remedy the situation, Apple has promised to release an iOS update in a few weeks that reduces the crowd-sourced database so that it stores seven days of data instead of a year's worth, stops backing up the database cache in iTunes, and deletes the cache when the Location Services option is disabled. In addition, the hotspot and cell tower database that resides on iPhones will be encrypted in the next major iOS release, which is likely to be several months from now.

Apple also said that it is collecting anonymous crowd-sourced traffic data in order to offer an improved traffic service to iPhone users in the coming years. Presently, iPhone users have access to Google-provided traffic data through the Maps application that comes pre-installed on every iPhone.

Since Apple and Google began viewing each other as competitors in August 2009, when then Google CEO Eric Schmidt resigned from Apple's board of directors, it has been widely assumed that Apple will eventually seek to revise or replace its software and services that depend on Google. Apple's acquisition of mapping companies Placebase and Poly9 have only strengthened such speculation.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?