Wednesday, April 20, 2011
Your iPhone Knows Where You've Been; Others Can, Too
Snoops can discover where you've been by reading a secret file stored on Apple's iPhone and synchronized to a computer by iTunes. At the Where 2.0 conference, researcher Pete Warden said the secret iPhone file is easily readable. The secret iPhone file came to light despite Apple's rule that app developers must get users' OK to collect location data.
Your iPhone knows where you've been. That hitherto-unknown feature of the popular smartphone Relevant Products/Services came to light this week as security Relevant Products/Services researchers announced the discovery of a secret file on the device Relevant Products/Services that stores the information.
That data Relevant Products/Services includes the latitude and longitude coordinates of the phone, accompanied by a time stamp. This tracking mechanism, reported at the Where 2.0 conference Relevant Products/Services in San Francisco on Wednesday, apparently began with iOS 4.
Mapping the Data
Pete Warden, one of the researchers presenting the finding, told news media that Apple "has made it possible for almost anybody" who could get access Relevant Products/Services to your smartphone or computer to find out where you've been. The location/time stamp file is copied onto a computer when the smartphone is synchronized with iTunes.
The researchers said locations are apparently not found through GPS, but through triangulation against the nearest cell-phone towers. This is less accurate than GPS, but consumes less power. Some observers have suggested that the log also uses Wi-Fi location data.
The researchers investigated whether such a tracking and recording function was similarly present in Android phones, but reported they couldn't find any such ability in phones for that platform.
Warden and fellow researcher Alasdair Allan created an open-source application that maps the location information from the iPhone file, allowing a user to visually follow his or her movements over a period of time. They said the app doesn't communicate this data to anyone.
The application is available at http://petewarden.github.com/iPhoneTracker/. At that location, the researchers provide the steps for a user to view the information in the file, which they said is located on a computer in a folder inside /Users/Library/Application Support/MobileSync/Backups/.
They noted that, if users choose to encrypt backups, others will be prevented from viewing the data on the computer.
'Data-Gathering Isn't Accidental'
Warden and Allan said it's "unclear" why Apple is collecting this information, although they speculated the company may have new features in development that could utilize a history of the user's locations. They added that the duplication of the file across devices "is evidence the data-gathering isn't accidental," and there's currently no evidence the data is stored or transmitted elsewhere.
The said the problems with this data collection are that it's stored in an easily readable form, and that Apple is collecting the information at all. They noted that similar data is collected by cell-phone providers as operational data, but "it's kept behind a firewall" and requires a court order to be seen.
By making this file easily available, the researchers pointed out, Apple is making it easy for, say, an investigator or a jealous spouse to obtain your location history. Interestingly, Apple touted location privacy during iOS 4's launch last year, including a requirement that location-aware apps obtain user permission before obtaining location data.