Risk
4/22/2011
12:52 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

So What If iPhones Spy User Locations

The iPhone keeps track on its owner's whereabouts, but without that crucial location data, many services that help make the smartphone so popular wouldn't function.

There’s been a considerable amount of hullabaloo about how Apple's iPhone stores a record of the travels of its owner and on the system they use for synchronization. The data, according to Thomas Claburn’s story iPhone Software Tracks Location Of Users, is latitude and longitude coordinates and their corresponding timestamps. The data is stored in an unencrypted file on the computer and the iPhone.

I have a hard time getting worked up about this. First, location data is crucial for popular services such as “Find My iPhone,” and the many, many applications that depend on accurate location data to work. That’s the only way they can find the best sushi restaurant close to you, report your location to your favorite social media, or know the nearest theater with the movie you want to see. You get the idea.

Of course, these applications have logs. All of your computing devices pretty much log everything you do.

Second, many companies have this type of data. Many newer car models track everywhere the owner goes. Your credit card company, bank, and debit card provider knows everywhere you travel and everything you buy--unless you are one of the few who pay for everything in cash. Also, let’s not overlook the fact that mobile phone network providers have all of this data, and many of them hold it for unknown lengths of time.

And, it appears, phones based on the Android operating system do the same thing, essentially. The location information is stored in files named cache.cell and cache.wifi.

These are locally stored files, and if any data is sent to Apple--best I’ve been able to determine--the data is anonymized and used to build a location database of Wi-Fi hotspots.

And, the fact is, Apple has already responded to government inquiries about its location tracking abilities.

The fact that Apple has already answered these questions didn't stop Senator Al Franken from sending a letter to Steve Jobs, asking about "serious privacy concerns."

Franken wrote:

"I read with concern a recent report by security researchers that Apple's iOS 4 operating system is secretly compiling its customers' location data in a file stored on iPhones, 3G iPads, and every computer that users used to "sync" their devices."

And all of this over a locally stored database file, while real Fourth Amendment concerns, such as exactly what the state of Michigan is doing with their mobile phone forensic devices during traffic stops, doesn't get a quarter of the same outrage:

The Michigan State Police have a high-tech mobile forensics device that can be used to extract information from cell phones belonging to motorists stopped for minor traffic violations. The American Civil Liberties Union (ACLU) of Michigan last Wednesday demanded that state officials stop stonewalling freedom of information requests for information on the program.

Should Apple encrypt the files? Yes? Should the logs probably be cleared in a shorter period of time than a year? I think so. Is this as big of a deal as it's been made out to be? I don’t think so.

If this concerns you, encrypt your iPhone and encrypt your iPhone backups within iTunes.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.