Risk
4/27/2011
01:56 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Apple Explains iPhone Tracking, Promises Fix

iPhones track Wi-Fi hotspots and cell towers, not users, Apple said in answering critics, while also promising to fixing a bug that kept too much data.


Slideshow: Apple iPhone 4, A True Teardown
(click for larger image and for full slideshow)
Apple on Tuesday responded to the controversy surrounding its handling of location data on the iPhone and denied tracking iPhone users' whereabouts. The company attributed the volume of stored location data to a software bug, and committed to encrypting the data on iPhones while eliminating it from backups in a forthcoming software update.

Apple's explanation arrives following a letter of inquiry sent on Monday by the House Energy and Commerce Committee to Apple CEO Steve Jobs. The letter seeks an explanation of Apple's location data policies in light of press reports about the presence of location data on iPhones. While the initial report last week about the discovery of location data on iPhones was subsequently revealed to be old news in the forensics community, the issue has continued to fester in the absence of a clear and comprehensive response from Apple. A lawsuit accusing Apple of violating privacy and computer fraud laws through its location data practices was filed in Florida last week.

Apple accepts some blame for situation, stating in a note posted on its website on Wednesday that "the creators of this new technology (including Apple) have not provided enough education about these issues to date."

Disavowing any interest in tracking the locations of iPhones, Apple described its data gathering as an attempt to build a crowd-sourced database of Wi-Fi hotspots and cell towers to hasten location calculations, which are useful in apps that utilize location services and in core phone functions.

"Calculating a phone's location using just GPS satellite data can take up to several minutes," Apple explained. "iPhone can reduce this time to just a few seconds by using Wi-Fi hotspot and cell tower data to quickly find GPS satellites, and even triangulate its location using just Wi-Fi hotspot and cell tower data when GPS is not available (such as indoors or in basements)."

Although the location data stored on iPhones corresponds to hotspots and cell towers (some of which may be as many as 100 miles away from the iPhone user), rather than the geographic locations of iPhone users, many location records may still be closely aligned with the user's actual location at the time the data is recorded.

Apple said that when this data is transmitted to the company it is encrypted and anonymous. However, it acknowledged while the cache of hotspot and location data it is not encrypted, but instead is protected through obscurity, which is regarded in the security industry as a dubious security strategy. Nor is the iTunes backup of the cache encrypted, unless specified to be so by the user.

To remedy the situation, Apple has promised to release an iOS update in a few weeks that reduces the crowd-sourced database so that it stores seven days of data instead of a year's worth, stops backing up the database cache in iTunes, and deletes the cache when the Location Services option is disabled. In addition, the hotspot and cell tower database that resides on iPhones will be encrypted in the next major iOS release, which is likely to be several months from now.

Apple also said that it is collecting anonymous crowd-sourced traffic data in order to offer an improved traffic service to iPhone users in the coming years. Presently, iPhone users have access to Google-provided traffic data through the Maps application that comes pre-installed on every iPhone.

Since Apple and Google began viewing each other as competitors in August 2009, when then Google CEO Eric Schmidt resigned from Apple's board of directors, it has been widely assumed that Apple will eventually seek to revise or replace its software and services that depend on Google. Apple's acquisition of mapping companies Placebase and Poly9 have only strengthened such speculation.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: nice one good
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas in a thought-provoking discussion about the evolving role of the CISO.