SECURITY RISK: Your iPhone and iPad is Tracking Everywhere You Go!

by April 22, 2011 04/22/11

Data Scientists Alasdair Allan and Pete Warden have just released new research detailing how Apple is keeping track of your every move in an unencrypted file that resides on the computer you use for backing up your iPhone and iPad 3G.

While there’s no evidence this data is being transmitted to Apple, we strongly feel this is a security risk, as this tracking information is located in a file called location.db in your backup files and records every cell tower you’ve accessed.

Allan and Warden notice that the first instance of location tracking started with the install of iOS4 in both the iPhone and iPad, which was released almost a year ago. This means there’s nearly a year’s worth of locations stored in this consolidated.db file. This is thousands of data points!

See it for Yourself

If you’re interested in finding out where you’ve been for the last year, Allan and Warden have written a desktop app that you can download here. You’ll be presented with a graphical image and heat map of where you’ve been in the world, it’s quite interesting and scary at the same time.

The image you see above is what Apple has tracked on me around the D/FW area in Texas. It’s fairly accurate at displaying your local locations as well as the places you’ve visited.

All that would need to happen for someone wanting to use this information for the wrong purposes, is to gain access to your computer and simply open this application to find out where you’ve been. Hopefully everyone reading this has also taken the proper precautions to protect their computer as well.

The good news, for those of you using different phones out there, is that Allan and Warden were not able to find anything similar on other platforms like Android. Update: Android phones are definitely at risk too.

What can I Do?

iPhone Tracking Security Risk 02The first step is to encrypt your backups! By default, your iPhone backups are not encrypted. With your device plugged in to sync, click on the device and bring up the summary tab. Under options you’ll see a check box next to “Encrypt iPhone Backup.” Check it and set a password, which will force a backup that will now be encrypted.

We’d like to strongly encourage everyone out there to encrypt their backups, if not only for this security risk discussed in this article, those backups also contain all your contacts, text messages and pretty much everything you do on your phone. The ability to store this data unencrypted is just ridiculous on Apple’s part.

Please also distribute this information to everyone you know that has an iPhone or iPad and help mitigate this security risk for all those you know!


Are you getting more than 14¢ of value per day from ITS Tactical?

Please consider joining our Crew Leader Membership and our growing community of supporters.

At ITS Tactical we’re working hard every day to provide different methods, ideas and knowledge that could one day save your life. Instead of simply asking for your support with donations, we’ve developed a membership to allow our readers to support what we do and allow us to give you back something in return.

For less than 14¢ a day you can help contribute directly to our content, and join our growing community of supporters who have directly influenced what we’ve been able to accomplish and where we’re headed.

Click here to learn about all the benefits and Join!


Peter G.
Peter G.

This is a non-story-- not because the data is incomplete, inaccurate, and not being divulged to third parties-- but because location tracking data is also collected by all cellphone operators. It's far easier for government agencies, private investigators, stalkers, and idly curious employees to browse this information, and of course, this kind of tracking has been going on as long as cellphones have existed and it applies to all phones regardless of make or model.

Scott McNealy, a co-founder of Sun Microsystems, famously said "You have zero privacy anyway. Get over it." He was overstating the situation somewhat, but that's a good attitude to take. If anything you're doing can be detected by someone else, you'd better assume it's being recorded and distributed to people who are not on your side.

Peter G.
Peter G.

This is a non-story-- not because the data is incomplete, inaccurate, and not being divulged to third parties-- but because location tracking data is also collected by all cellphone operators. It's far easier for government agencies, private investigators, stalkers, and idly curious employees to browse this information, and of course, this kind of tracking has been going on as long as cellphones have existed and it applies to all phones regardless of make or model. Scott McNealy, a co-founder of Sun Microsystems, famously said "You have zero privacy anyway. Get over it." He was overstating the situation somewhat, but that's a good attitude to take. If anything you're doing can be detected by someone else, you'd better assume it's being recorded and distributed to people who are not on your side.

PPGMD
PPGMD

The linked story on Android isn't exactly accurate in that it isn't related to the Apple's location database file on the device, that is talking about the data that is sent to Google to improve service. A feature that both of the other mobile OS companies have, and can be turned off.

Now OTOH Android does cache some location data on the device, depending on the source it can be the last 50-200 locations. It's a security risk, but not as big of one as the Apple database.

Gizmodo has a handy chart:

http://gizmodo.com/#!5794891/do-apple-google-and-microsoft-know-your-every-step-a-handy-chart

PPGMD
PPGMD

The linked story on Android isn't exactly accurate in that it isn't related to the Apple's location database file on the device, that is talking about the data that is sent to Google to improve service. A feature that both of the other mobile OS companies have, and can be turned off. Now OTOH Android does cache some location data on the device, depending on the source it can be the last 50-200 locations. It's a security risk, but not as big of one as the Apple database. Gizmodo has a handy chart: http://gizmodo.com/#!5794891/do-apple-google-and-microsoft-know-your-every-step-a-handy-chart

Steven
Steven

SO I downloaded that desktop app so I could see for myself but I can't get it to work. Do I need a MAC to view it?

Blade Staker
Blade Staker

Thanks for the info! Never gave it a thought and I have files for work on my iPhone that can't get out.

wrestlingnrj
wrestlingnrj

I believe the file in question is actually called consolidated.db and it definitely should have been encrypted by default, but why Apple is actually storing this info is beyond me.

Ryan
Ryan

I had the same issue, apparently the app is only for MAC OS.

Bryan Black
Bryan Black

AWC, I'd read that article before writing mine. I agree that for some this is old news, but there are others more concerned about their privacy than I am. What I wrote stands, this is a security risk.

BCarter
BCarter

I have to concur with Mr. Black. At what point this information necessitates collection and storage by Apple is beyond me - I have yet to sit and ponder "how great would it be if Apple could tell me every where I've been since I've purchased their phone." And while I would hate to be short-sided - I doubt I ever will. If the question box is "would you like us (retailer/mfr) to store nearly every spot at which you've accessed a cell tower?", my check goes in the "no" box - in permanent ink.

Regarding security risk - it most certainly is. I'm not going to query each persons' line of work, but suffice to say that some of us know good and well that a predictable route is a dangerous route, that bad people actually do exist in this world (and they're pretty smart, too), and we would rather stay on the safer side when it comes to ourselves and those we love. Am I going to get hysterical and toss my iPhone into the blender? No. Am I thankful this has been addressed and will now go take preventative measures? Yes.

YMMV,

BC

BCarter
BCarter

I have to concur with Mr. Black. At what point this information necessitates collection and storage by Apple is beyond me - I have yet to sit and ponder "how great would it be if Apple could tell me every where I've been since I've purchased their phone." And while I would hate to be short-sided - I doubt I ever will. If the question box is "would you like us (retailer/mfr) to store nearly every spot at which you've accessed a cell tower?", my check goes in the "no" box - in permanent ink. Regarding security risk - it most certainly is. I'm not going to query each persons' line of work, but suffice to say that some of us know good and well that a predictable route is a dangerous route, that bad people actually do exist in this world (and they're pretty smart, too), and we would rather stay on the safer side when it comes to ourselves and those we love. Am I going to get hysterical and toss my iPhone into the blender? No. Am I thankful this has been addressed and will now go take preventative measures? Yes. YMMV, BC

Buck
Buck

That’s more than senblsie! That’s a great post!

The Latest
Squawk Box

We just received our Silver Play Button plaque from YouTube for surpassing 100,000 subscribers on our YouTube channel! A huge shout out to all of you that made this possible! It’s a major award and we’re extremely proud to hang this on our wall. Here’s to the next 100,000!

1 day ago
Leave a Comment