Risk
4/22/2011
12:52 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

So What If iPhones Spy User Locations

The iPhone keeps track on its owner's whereabouts, but without that crucial location data, many services that help make the smartphone so popular wouldn't function.

There’s been a considerable amount of hullabaloo about how Apple's iPhone stores a record of the travels of its owner and on the system they use for synchronization. The data, according to Thomas Claburn’s story iPhone Software Tracks Location Of Users, is latitude and longitude coordinates and their corresponding timestamps. The data is stored in an unencrypted file on the computer and the iPhone.

I have a hard time getting worked up about this. First, location data is crucial for popular services such as “Find My iPhone,” and the many, many applications that depend on accurate location data to work. That’s the only way they can find the best sushi restaurant close to you, report your location to your favorite social media, or know the nearest theater with the movie you want to see. You get the idea.

Of course, these applications have logs. All of your computing devices pretty much log everything you do.

Second, many companies have this type of data. Many newer car models track everywhere the owner goes. Your credit card company, bank, and debit card provider knows everywhere you travel and everything you buy--unless you are one of the few who pay for everything in cash. Also, let’s not overlook the fact that mobile phone network providers have all of this data, and many of them hold it for unknown lengths of time.

And, it appears, phones based on the Android operating system do the same thing, essentially. The location information is stored in files named cache.cell and cache.wifi.

These are locally stored files, and if any data is sent to Apple--best I’ve been able to determine--the data is anonymized and used to build a location database of Wi-Fi hotspots.

And, the fact is, Apple has already responded to government inquiries about its location tracking abilities.

The fact that Apple has already answered these questions didn't stop Senator Al Franken from sending a letter to Steve Jobs, asking about "serious privacy concerns."

Franken wrote:

"I read with concern a recent report by security researchers that Apple's iOS 4 operating system is secretly compiling its customers' location data in a file stored on iPhones, 3G iPads, and every computer that users used to "sync" their devices."

And all of this over a locally stored database file, while real Fourth Amendment concerns, such as exactly what the state of Michigan is doing with their mobile phone forensic devices during traffic stops, doesn't get a quarter of the same outrage:

The Michigan State Police have a high-tech mobile forensics device that can be used to extract information from cell phones belonging to motorists stopped for minor traffic violations. The American Civil Liberties Union (ACLU) of Michigan last Wednesday demanded that state officials stop stonewalling freedom of information requests for information on the program.

Should Apple encrypt the files? Yes? Should the logs probably be cleared in a shorter period of time than a year? I think so. Is this as big of a deal as it's been made out to be? I don’t think so.

If this concerns you, encrypt your iPhone and encrypt your iPhone backups within iTunes.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.