Risk
4/22/2011
12:52 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

So What If iPhones Spy User Locations

The iPhone keeps track on its owner's whereabouts, but without that crucial location data, many services that help make the smartphone so popular wouldn't function.

There’s been a considerable amount of hullabaloo about how Apple's iPhone stores a record of the travels of its owner and on the system they use for synchronization. The data, according to Thomas Claburn’s story iPhone Software Tracks Location Of Users, is latitude and longitude coordinates and their corresponding timestamps. The data is stored in an unencrypted file on the computer and the iPhone.

I have a hard time getting worked up about this. First, location data is crucial for popular services such as “Find My iPhone,” and the many, many applications that depend on accurate location data to work. That’s the only way they can find the best sushi restaurant close to you, report your location to your favorite social media, or know the nearest theater with the movie you want to see. You get the idea.

Of course, these applications have logs. All of your computing devices pretty much log everything you do.

Second, many companies have this type of data. Many newer car models track everywhere the owner goes. Your credit card company, bank, and debit card provider knows everywhere you travel and everything you buy--unless you are one of the few who pay for everything in cash. Also, let’s not overlook the fact that mobile phone network providers have all of this data, and many of them hold it for unknown lengths of time.

And, it appears, phones based on the Android operating system do the same thing, essentially. The location information is stored in files named cache.cell and cache.wifi.

These are locally stored files, and if any data is sent to Apple--best I’ve been able to determine--the data is anonymized and used to build a location database of Wi-Fi hotspots.

And, the fact is, Apple has already responded to government inquiries about its location tracking abilities.

The fact that Apple has already answered these questions didn't stop Senator Al Franken from sending a letter to Steve Jobs, asking about "serious privacy concerns."

Franken wrote:

"I read with concern a recent report by security researchers that Apple's iOS 4 operating system is secretly compiling its customers' location data in a file stored on iPhones, 3G iPads, and every computer that users used to "sync" their devices."

And all of this over a locally stored database file, while real Fourth Amendment concerns, such as exactly what the state of Michigan is doing with their mobile phone forensic devices during traffic stops, doesn't get a quarter of the same outrage:

The Michigan State Police have a high-tech mobile forensics device that can be used to extract information from cell phones belonging to motorists stopped for minor traffic violations. The American Civil Liberties Union (ACLU) of Michigan last Wednesday demanded that state officials stop stonewalling freedom of information requests for information on the program.

Should Apple encrypt the files? Yes? Should the logs probably be cleared in a shorter period of time than a year? I think so. Is this as big of a deal as it's been made out to be? I don’t think so.

If this concerns you, encrypt your iPhone and encrypt your iPhone backups within iTunes.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8148
Published: 2015-01-26
The default D-Bus access control rule in Midgard2 10.05.7.1 allows local users to send arbitrary method calls or signals to any process on the system bus and possibly execute arbitrary code with root privileges.

CVE-2014-8157
Published: 2015-01-26
Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow.

CVE-2014-8158
Published: 2015-01-26
Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image.

CVE-2014-9571
Published: 2015-01-26
Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter.

CVE-2014-9572
Published: 2015-01-26
MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.