Mobile Technology

iOS 4 stores a history of your whereabouts in an unencrypted file

iOS 4 stores a history of your...
It has been discovered that iPhones running iOS4 maintain a location-tracking database, that is stored in an unprotected, unencrypted file
It has been discovered that iPhones running iOS4 maintain a location-tracking database, that is stored in an unprotected, unencrypted file
View 1 Image
It has been discovered that iPhones running iOS4 maintain a location-tracking database, that is stored in an unprotected, unencrypted file
1/1
It has been discovered that iPhones running iOS4 maintain a location-tracking database, that is stored in an unprotected, unencrypted file

If you own an iPhone or 3G iPad running iOS4, then you might be interested in knowing that the device has been keeping a record of your travels in a hidden, unencrypted file. Users do not opt into using the service, the database is restored after backups, and it migrates onto other synced devices. While no one is necessarily accusing Big Brother Jobs of watching you, it is a curious feature, and one that could pose a security threat to some users.

As first reported this morning by tech bloggers Alasdair Allan and Pete Warden, the record consists of a list of latitude-longitude coordinates and time stamps, outlining where your device (and presumably you) has been. As it appears to have started with the introduction of iOS4, there will currently be about a year's worth of travels within the file. It is guessed that the device's location is determined by cell-tower triangulation, and is updated when the device is used, or by traveling between cells.

The data is contained in a file labelled consolidated.db, which is unencrypted and accessible to anyone with access to your device – provided they know where to look. In an explanatory video on the O'Reilly tech blog, Allan and Warden state that users can address the problem by encrypting their backups through iTunes. The pair also offer an application that allows users to see the existing database on their own device.

There is currently no indication that the data is being sent to Apple, or any other parties. Phone companies already collect the same information, but it is inaccessible to outside parties without a court order. Applications such as Foursquare and Mobile Me also track the device's location, but users must opt-in to use them.

At the time of this posting, Apple's Product Security team has reportedly not responded to Allan and Warden's inquiries.

Update: Alex Levinson has published a blog post explaining, among other things, that this discovery is not new.

2 comments
2 comments
foghorn
This is unacceptable. Who is big brother now Macintosh? I heard a good quip about this on facebook. \"It\'s not your phone, it\'s Steve\'s phone.\"
donmontalvo
No application is able to traverse memory space. So if you had the winning lotto ticket number on a text file in /opt/winning-lotto-ticket.txt on your iPhone4, no application will be able to access it.

What a crock....does Gizmag have nothing better to write about than a non-security-issue? Did you guys know there\'s a global conspiracy to prevent white iPhones from being distributed? Do you hear NCAA complaining? Let\'s see an article about that...

Nothing to see here. Move along.

Don Montalvo, TX