iPhone secretly tracks owners: Researchers

iOS 4 logs up to 100 locations daily in unencrypted file on iPhone, iPad and syncing computers

A pair of researchers have found that Apple iPhones and iPads track users' locations and store the data in an unencrypted file on the devices and on owners' computers.

The data, which appears to have been collected starting with iOS 4, which Apple released last summer, is in a SQLite file on iPhones and iPads with 3G capability, said Pete Warden, the founder of Data Science Toolkit and a former Apple employee, and Alasdair Allan, a senior research fellow at the University of Exeter.

The same file, named "consolidated.db," is also stored in the iOS backups made by iTunes on the Mac or Windows PC used to synchronize the iPhone or iPad.

Stored in the file in clear text are locations' longitude and latitude, a timestamp and other information, including Wi-Fi networks in range of the device.

About 100 data points per day are logged to the file, said Warden and Allan in a video posted on the O'Reilly Radar blog.

"There can be tens of thousands of data points in this file," said the pair in the blog post.

The data may be hard to extract remotely from an iPhone or iPad, but not impossible, said Charlie Miller, a noted Mac and iPhone vulnerability researcher, and a four-time winner at the Pwn2Own hacking contest.

"The file is in the root's directory, so apps, including Safari, won't have access," said Miller. "That's still bad, though."

To view the location file on an iPhone remotely, an attacker would have to exploit a pair of vulnerabilities, one to hack Safari -- likely by duping the user into visiting a malicious site -- then another to gain access to the root directory, Miller said. That's possible, but unlikely for most criminals.

Instead, he said the biggest threat was if a person lost his or her iPhone, or it was seized by authorities. "If you lose it, or it's taken when you're crossing a border, say, then the data is accessible," said Miller.

Allan echoed Miller in the video. "If you lose your phone, then all your movements for the last year are on that phone, and can be taken off," said Allan.

Graham Cluley, a senior security senior technology consultant with U.K.-based security company Sophos, pointed out that the backup file on a PC or Mac also poses a risk. "If you're not around, someone else can access the information on your home or work computer," said Cluley.

Running Warden's and Allan's Mac app displays where an iPhone has been since it was upgraded to iOS 4. (Info displayed is from an iPhone owner living in New England.)

Warden and Allan have made it easy to do just that: They've created an application that extracts the data from a Mac, then displays the location history on a map.

It's unclear why iOS is collecting the data, but Warden and Allan speculated that it might have to do with a future feature that relies on location. "The fact that it's transferred across devices when you restore or migrate is evidence the data-gathering isn't accidental," they said.

According to Warden and Allan, there's no sign that the data is being transmitted to Apple, or leaving the iPhone, iPad or synchronizing computers.

"Don't panic," they urged. "There [is no] evidence to suggest this data is leaving your custody."

That's little consolation, said both Miller and Cluley.

"I just don't see any upside to this," said Miller, pointing out that people will trade off privacy for some obvious benefit. "This doesn't make my life easier, or the iPhone any cooler," said Miller.

Cluley concurred, and added that the news will likely shock many iPhone owners. "Most users would not expect their iPhones to be doing this," said Cluley, "and they'd have a right to be upset."

But Cluley wasn't ready to put on a conspiracy cap.

"I think things tend not to be conspiracies, but are more often cock-ups, accidents that happen," Cluley said. "It may be that one hand of Apple doesn't know what the other hand is doing."

Warden and Allan have published an FAQ about their iPhone data location findings, and the Mac OS X application that displays a device's location history, on the GitHub development repository.

"Why this data is stored and how Apple intends to use it -- or not -- are important questions that need to be explored," said Warden and Allen

Apple did not immediately reply to questions.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com.

Read more about privacy in Computerworld's Privacy Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleMobile Apps and ServicessecurityMacintoshprivacy

More about AppleBlackBerryMicrosoftO'ReillyReillySophosToolkitTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place