About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search
Home » Industry Watch » The Technological


On Apple's exploding privacy scandal. By Mack Diesel.

Get It

Try It

[For background see here.] [To stop the spying see here.]

And the rabbit hole keeps getting deeper. Watch this.

Now read this.


'Today at Where 2.0 Pete Warden and I will announce the discovery that your iPhone, and your 3G iPad, is regularly recording the position of your device into a hidden file. Ever since iOS 4 arrived, your device has been storing a long list of locations and time stamps. We're not sure why Apple is gathering this data, but it's clearly intentional, as the database is being restored across backups, and even device migrations.' Jobs is the new Schmidt? Maybe it's to make things a little more convenient for Ponch and Jon?

Michigan: Police Search Cell Phones During Traffic Stops

A US DOJ test of the CelleBrite UFED used by Michigan police found the device could grab all of the photos and video off of an iPhone within 1 1/2 minutes. The device works with 3000 different phone models and can even defeat password protections.

'Complete extraction of existing, hidden, and deleted phone data, including call history, text messages, contacts, images, and geotags', a CelleBrite brochure explains regarding the device's capabilities. 'The Physical Analyzer allows visualization of both existing and deleted locations on Google Earth. In addition, location information from GPS devices and image geotags can be mapped on Google Maps.'

UFED Physical Pro

Utilizing UFED's simple and field-proven user interface, a complete high-speed hex dump of the phone memory is delivered without the need of cumbersome PC drivers. Critical data such as user lock codes, and deleted information such as text messages, call history, pictures, and video are sorted and retrieved by Cellebrite's Physical Pro engine. The UFED Physical Pro also includes robust search tools for manual hex dump analysis, as well as an expert mode, which allows advanced capabilities for researchers.

Considering that Ponch and Jon can already do this legally in CA, it's a worrisome trend. Unfortunately, some Joe Six Packs can't rub two neurons together.

So what? Nobody can access the data unless they get a hold of your device, and if they manage to do that then they know your search history, email, cookies, etc...

Morale of the story is don't lose your phone.
 - Marvin Plummeridge

Mobile phones are lost all of the time, which is why any halfway decent smartphone has a remote wipe feature. But with governments starving for more paper funny money in their coffers, do you feel lucky the next time you get behind a steering wheel? What are you going to do when those red and blue lights are filling your rearview mirror?

Now it won't be hard to convict you in court for talking or texting behind the wheel. They'll have your location information, call history, and text history. Game over.

But why stop there? They'll have easy access to all of the people you associate with. I'm sure that if you're up to no good, this will be a gold mine for them... All without having to deal with those pesky warrants.

If Orwell was living today, what would he be thinking?

What makes this issue worse is that the file is unencrypted and unprotected, and it's on any machine you've synched with your iOS device. It can also be easily accessed on the device itself if it falls into the wrong hands. Anybody with access to this file knows where you've been over the last year since iOS 4 was released.

How reassuring. And we know how easy it is for rogue apps to slip past the Apple nannies.


What information is being recorded?

All iPhones appear to log your location to a file called 'consolidated.db'. This contains latitude-longitude coordinates along with a timestamp. The coordinates aren't always exact, but they are pretty detailed. There can be tens of thousands of data points in this file, and it appears the collection started with iOS 4, so there's typically around a year's worth of information at this point. Our best guess is that the location is determined by cell-tower triangulation, and the timing of the recording is erratic, with a widely varying frequency of updates that may be triggered by traveling between cells or activity on the phone itself.

Yet more proof that you should expect no privacy whatsoever with a mobile, since your triangulation coordinates are being recorded when your GPS coordinates aren't. The carriers already have this information. If you use Latitude, Foursquare, or the like, they have that information too. Of course you volunteered to be tracked. But Apple? Storing all of this in an unencrypted database file locally? Without your knowledge or consent? Are they just trying to make it easier for Ponch, Jon, or some other jackboot from a three-letter agency?

What are the implications of this location data?

The cell phone companies have always had this data, but it takes a court order to access it. Now this information is sitting in plain view, unprotected from the world. Beyond this, there is even more data that we have yet to look at in depth.

For example, in my own case I (Alasdair) discovered a list of hundreds of thousands of wireless access points that my iPhone has been in range of during the last year.

^^^ This.

The Guardian picked up the story.

iPhone keeps record of everywhere you go

Simon Davies, director of the pressure group Privacy International, said: 'This is a worrying discovery. Location is one of the most sensitive elements in anyone's life - just think where people go in the evening. The existence of that data creates a real threat to privacy. The absence of notice to users or any control option can only stem from an ignorance about privacy at the design stage'.

Again, having a mobile phone all together is a threat to privacy. If you want to hide or vanish, you leave the phone at home. Not exactly anything new here. If you want to stay plugged into the matrix, however, you have to make that sacrifice. Let's not fool ourselves here.

With that said, I still would not want my location info readily accessible to some black hat or three-letter agency either.

Apple can legitimately claim that it has permission to collect the data: near the end of the 15,200-word terms and conditions for its iTunes program, used to synchronise with iPhones, iPods and iPads, is an 86-word paragraph about 'location-based services'.

It says that 'Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services'.

See what your iFad is recording.

iPhone Tracker

Of course I can't complete this post without linking to the reactions from the Maccies.


Will be interesting to see Apple's response to this. I don't necessarily mind the data being collected for things like find my iPhone and forensics but I'd like it to be very well secured.
 - talkingfuture

Of course you don't mind. Big Brother loves you.

For those freaking out, do they know that every GPS devices record their positions from the moment they are first turned on ?

It is scary, but unfortunately it's quite common. In the best of cases (in the GPS world) the information is encrypted... But this only happens with a few GPS, usually those made for high-end auto brands (Porsche, BMW etc.) the majority of devices, on the other side, records the information in plain text.
 - Torrijos

You fucking moron. GPS information from a vehicle isn't as valuable as a device which not only has GPS data, but personal contacts, call and texting history, personal files, cookies, passwords, browsing history, and so on. Above all, to leave location information in an unencrypted, unprotected file and make it ripe for picking by anything? Without the user's knowledge or consent - let alone an explanation by Cupertino as to why it's there in the first place? It's criminal.

It *is* private now. This information isn't broadcast anywhere but your own personal computer in the form of an encrypted backup file. The information won't go anywhere but with you and your property.

However, if your iphone gets stolen, the GPS log is likely the least private thing you need to worry about. The thief will have access to your entire contact list, browsing history, etc..
 - mainstreetmark

Until Ponch and Jon get to it. Or you get subpoenaed.

If this is your biggest worry on people being able to track you...hmph.

Tinfoil hats are going to be all the rage here soon.
 - Warbrain

Yes, go right ahead and play with your farting apps. You have nothing to hide. I'm sure that you leave your curtains wide open at night too.

Apple can do no evil. Think different.

Stop the Spying

Here is how to stop the spying dead in its tracks. Of course the iFad must be jailbroken and you must have shell access.

$ sudo -s
# cd /System/Library/Frameworks/CoreLocation.framework/Support
# rm consolidated.db
# ln -s /dev/null consolidated.db
# exit

See Also
Rixstep/7: Apple Recipient of Not So Coveted Big Brother Award
Rixstep Industry Watch: Apple Recipient of Not So Coveted Big Brother Award

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search
Copyright © Rixstep. All rights reserved.