
IPhones and 3G iPads log your location in an unencrypted file on the device - petewarden
http://radar.oreilly.com/2011/04/apple-location-tracking.html
======
runjake
I didn't know this was news. I and other security researchers & law
enforcement have known about it for a while. I assisted in one court case
where the data was used as evidence.

I suspect the slick-looking iPhoneTracker app finally made it interesting to
the media.

Edit: There was a similar deal on iOS 3 but it seemed more like a bug, not a
feature. Data would be purged at some unpredictable interval. I can't recall
the file path and don't have an iOS 3 device handy.

~~~
PandaPacha
In deed nothing new. About a year ago a man discovered that his wife's iPhone
was sending about 75 Mb of data to Apple via wifi in early morning :
[https://discussions.apple.com/thread/2450738?threadID=245073...](https://discussions.apple.com/thread/2450738?threadID=2450738&start=0&tstart=0)
It turned out it was dumps of GPS data and other stuffs.

Apple acknowledged that to the House of Representatives. They're gathering
data about their customers, including GPS : [PDF]
<http://markey.house.gov/docs/applemarkeybarton7-12-10.pdf>

II / C / 1 / a. : "Second, to help Apple update and maintain its database with
known location information, Apple may also collect and transmit Cell Tower and
Wi-Fi Access Point Information automatically. With one exception, Apple
automatically collects this information only if the device’s location-based
service capabilities are toggled to “On” and the customer uses an application
requiring location-based infomiation. If both conditions are met, the device
intermittently and anonymously collects Cell Tower and Wi-Fi Access Point
Information from the cell towers and Wi-Fi access points that it can “see”,
along with the device’s GPS coordinates, if available. This information is
batched and then encrypted and transmitted to Apple over a Wi-Fi Internet
connection every twelve hours (or later if the device does not have Wi-Fi
Intemet access at that time)."

~~~
runjake
Good info, thanks.

It's important to note that the above use of "anonymous" is laughable in
context.

In order for that uploaded data to be useful by Apple, it needs to maintain
both the lat/long and wi-fi access point ethernet addresses & signal
strengths. This is pretty much a globally-unique identifier.

~~~
eridius
Identifier of what, though? The two data points you just described identify
the wireless network, not the iPhone. In fact, what you just described is
precisely the data required for obtaining a device location from the nearby
wireless networks, a la Skyhook.

------
petewarden
I'll be checking in here for technical questions. The github direct link is
<http://petewarden.github.com/iPhoneTracker/>

~~~
savrajsingh
Thanks for the app -- quite eye-opening. The data looks good, except there is
a bunch of data in Minnesota. I've never been to Minnesota! Any ideas?

<http://imgur.com/ORgYu>

EDIT: Data appears around the time I flew from NJ to Seattle -- perhaps my
phone was on in-flight and connecting to MN cell towers? Seems unlikely,
though, given the # of points.

~~~
jbrechtel
Also unlikely because if your phone had not been in the "off position" then
your plane would have undoubtedly crashed.

------
allwein
So after doing a quick analysis of the data on my iPhone, I've come to the
conclusion that this isn't a huge issue at all.

First, I'll start with the WiFi data (WifiLocation table): Among the
information captured is MAC, Timestamp, and Lat/Long. I have a total of
118,640 records in my table. I did a "SELECT DISTINCT MAC FROM WifiLocation",
and got... 118,640 records. This tells me that it's not "tracking my every
move" via Wifi location since there's a single entry for each MAC. The
question might be, is it updating the Timestamp when I'm near a specific Wifi
Network? My guess is no. I did the backup and analysis this morning, April
20th. Yet the last entries in my database are from April 16th. This tells me
that it's not an always on tracker and that it's not updating timestamps.

Next, I looked at the CallLocation table: The same thing held true with this
table. The last entry on my phone was from April 16th. Also, I have 6300
entries in my CellLocation table. I decided to start restricting the precision
of the Lat/Long to see if there were duplicates that would indicate
"tracking". At 5 decimal points, there were no duplicates. At 4 decimals,
there were a handful that had 2 dups. At 3 decimals, there were more dups,
with the most being 6. At this point I still had 5672 uniques. At 2 decimals,
the most had 89 and I had 2468 uniques. At 1 it really went down, obviously,
and I was down to 253 uniques. The other thing I noticed was that there was no
regular timing of entries, and that when there were entries, a large number of
them had the same timestamp.

So based on my analysis, this isn't a feature that enables detailed tracking
of a user. It will allow you to see if a user has been in a certain location
the first time, but that's the extent of it. For instance, I could see that I
made a trip to Washington DC in late October of last year. But you can't
really tell my movements around my home town with any amount of precision. My
assumption, like others, is that Apple is using this to enable easier use of
Location based services. I assume (which I'm going to test), that whenever a
user enables a Location Based app (Google Maps, FourSquare), iOS updates this
database with all local cell towers/wifi locations and the Latitude/Longitude.
The more comprehensive the local database is, the quicker/easier it is for
Location Based Services to help pinpoint a users location. Instead of waiting
for GPS to spin up and get a satellite lock, it will be able to get a more
accurate lock off of cell tower/wifi triangulation.

~~~
ugh
Location tracking on iOS devices without GPS (for example an iPod touch)
sometimes works without any internet connection (it nearly always works with
an internet connection – WLAN access points are used to determine the
approximate location), especially in urban environments (with a lot of WLAN
access points). I always figured that iOS devices download location info on
all the surrounding WLAN access points (maybe even those not in range – it
seemed like that in my tests) as soon as you use location services and are
connected to the internet.

This database could have something to do with that.

~~~
thought_alarm
Yes, when you use the location services in, say, a new city then your device
will download and cache the WiFi location data for a large radius around that
initial lookup the next time it has an internet connection. It's pretty cool,
actually.

That database isn't infinitely large, as unused location information will be
removed as new location data comes in.

~~~
andrewgleave
I seem to remember this being talked about at one last year's WWWDC sessions.

~~~
Maxious
I remember hearing this on reddit but the post is mirrored at
[http://www.volnation.com/forum/pub/127425-iphone-
bug-2.html#...](http://www.volnation.com/forum/pub/127425-iphone-
bug-2.html#post4924534)

'Look at the video for session 115, "Using Core Location in iOS". Skip to
around 13:45 for the discussion of "Course Cell Positioning" where they
discuss the cache in detail.'

------
desigooner
It might not be directly related but there was a news story on CNET [1]
yesterday about cops in Michigan using a device from Cellebrite to download
information from phones of people they stopped for violations that includes
contacts, phone logs, messages, photographs and location history.

Does Apple's decision of having such information stored on the phone
unencrypted make it easy for such devices? The device claims to subvert phone
passwords though.

[1]<http://news.cnet.com/8301-17938_105-20055431-1.html>

~~~
ImprovedSilence
I've actually used that device before. It's fairly common in law enforcement
and inteligence agencies, and it will take everything. Including
passwords/deleted info. There is no reason for using it on a traffic stop
though, that's just straight up invasion of privacy and would piss me off to
no end. It's use is (and should be) for the more criminal/forensic cases.

~~~
huhtenberg
I wonder if that device utilizes some form of "law enforcement backdoor API",
a phone analog of the "lawful intercept" in networking. Because frankly I
don't understand how else it could retrieve previously deleted data from the
phone.

~~~
nitrogen
If you look at apps like BitPim, you'll see there's a standard protocol that
many phones use for syncing. That protocol gives access to far more data than
you might expect. If you have USB Debugging enabled in Android, the level of
access is probably similar, and even if not, they can read your entire micro
SD card via USB mass storage. I don't know enough about Android syncing to say
whether it's possible to access contact data via USB when the phone is not in
debugging mode, or whether there's a way to activate mass storage mode or
Bluetooth transfers without unlocking the phone.

------
ceejayoz
> We're not sure why Apple is gathering this data, but it's clearly
> intentional, as the database is being restored across backups, and even
> device migrations.

My understanding is that _all_ data and files is persisted in that manner. Not
sure why they're implying this file has been singled out.

~~~
petewarden
The intention was to indicate that it's not just a temporary log file that's
not being deleted properly. Poorly expressed though, I agree.

------
awakeasleep
I wish this wasn't presented as sinister.

The fact is, that phone companies store all that data for EVERY cell phone,
and it's always available to government agencies and divorce attorneys after a
subpoena.

 _All this does is raise the common man's awareness_ , and possibly provides
an afternoon of fun looking at your travel history. If you want your iphone
data secret, it prompts you to encrypt your backups when you first plug the
phone in.

~~~
earl
No. Given eg the police in Michigan using devices to dump phone contents on a
regular basis [1], there is an _enormous_ difference between unencrypted data
on a device just sitting there and anything requiring a subpoena.

[1] <http://www.mobiledia.com/news/87523.html>

~~~
awakeasleep
Elsewhere in the threads you can see that device won't work with a password-
protected iPhone

------
tomkinstinch
For those with jailbroken iPhones and SSH, the data can be accessed or copied
directly. The information is stored in this file:
/private/var/root/Library/Caches/locationd/consolidated.db

The file can be viewed with any ol' SQLite browser, and the location
information is stored in the "CellLocation" table.

After using an iPhone 4 since release day, I have ~1400 entries.

~~~
xpaulbettsx
To make it work with Pete Warden's app, add this block to the bottom of
loadLocationDb, before the displayErrorAndQuit:

    
    
        if (!loadWorked) {
            loadWorked = [self tryToLoadLocationDB: @"/path/to/your/consolidated.db" forDevice: @"iPhone"];
        }

------
tlear
This is a perfect timing for promotion of Playbook and BB security. I am sure
RIM will miss the opportunity though.

~~~
foobarbazetc
And I'm sure Playbook has its own gaping security holes that no one will find
or care about because no one's going to buy it.

------
chadp
Someone should make an app for jailbroken phones to disable this location
logging (or delete it regularly).. many would likely pay for it!

~~~
ChuckMcM
Interesting idea, although I actually like just injecting noise (add say 500nm
to all of the co-ordinates or some such) which would basically corrupt the
database that this was being injected into.

On a more interesting note if you put '); droptable; into your file could you
delete the receiving database? A whole new vector for SQL injection hacks I
suspect.

~~~
calloc
According to <http://news.ycombinator.com/item?id=2467895> it is being used to
get a faster fix for Locations based applications, so doing that would remove
the ability for that work.

------
pgio
This was noted last September by C. Vance here:

<http://blog.csvance.com/?p=39>

Good detail on how and why it is generated.

------
ck2
BTW _all_ cellular devices are recorded as they move through tower locations
while they are on and police don't feel they need a warrant for such data, so
your location is pretty much available without that file.

~~~
anonymous246
Way to miss the point.

Earlier, entities recording: cell company. Earlier, entities with access:
police, cell company

Now, entities recording: cell company, Apple Now, entities with access:
police, cell company, anybody who temporarily gains access to my phone,
anybody who temporarily gains access to my iTunes computer

See, how the "attack surface" is dramatically bigger now?

~~~
ck2
Oh I am not saying this isn't a huge scandal.

I'm just saying keep in mind this info is also available to others without an
iphone.

------
serialx
Created a GPX file generator. Use it to convert the database into a GPX file
format. Open it up with Google Earth.

<https://github.com/serialx/iphonegpx>

~~~
rtheron
I'd love to use this data to geotag the photos I've taken on my digital camera
over the past year, so I've downloaded this script along with the
consolidated.db file into a directory, however, when I execute: python
iphonegpx i get the below error, could you provide some more detailed usage
instructions?: C:\Users\<xxxxx>\Desktop\serialx-iphonegpx-a124079\serialx-
iphonegpx-a124079>pyth on iphonegpx.py File "iphonegpx.py", line 24 <time>"""
+ data[0][0].isoformat() + """</time> ^ SyntaxError: invalid syntax

~~~
serialx
Maybe you are using Python 3?

make print statement to print() function.

------
justsee
The same community that would generally react very negatively to reports of a
company storing passwords unencrypted in a database seems to effortlessly
explain away Apple's approach to storing a significant amount of personal
tracking data unencrypted, not on one pretty inaccessible server but on
multiple easily-accessible devices. Fascinating.

------
cube13
Could this be related to the mobleMe "Find my iPhone" feature that Apple added
in 4.0?

If so, this is probably a non-story. I'd be interested if it still logs if
Location Services are off, too.

~~~
ugh
If it is, the database is seriously overengineered. Find my iPhone will not
let you access past locations, it seems to always only let you access freshly
requested location information.

Such sensitive data should not be saved without the user's explicit permission
if it's not needed for some purpose the user explicitly wants to use the
device for.

------
pieter
Of course, Apple would know your location most of the time anyway, whether or
not this file exists. You send the ID's of cell towers and wifi points to
Apple, which returns you the location of those points. Apple could always have
been storing your location based on that interaction alone.

In fact, keeping a database like this could actually give Apple LESS
information about your location, as you don't have to request a new location
if you already have the info of all the near ID's in your database. I'm not
sure if this actually happens though.

The same, of course, can be said for any Android device and Google's A-GPS
database; you have no guarantees that Google isn't logging your location
whenever you're using location services.

------
ljdk
In addition to cell tower and Wi-Fi hotspot locations iTunes keeps a backup of
all text messages and recent calls. A while ago I've even made a small web app
to chart it - <http://datalysed.com/?p=130>

------
nicklovescode
Apple is simply building a mandatory foursquare competitor, it's not a big
deal guys

------
yardie
I can sort of understand the outrage but I don't see the utility of it. Apps
that are written for the App store don't have access to this data without the
permission of the user. And the only way an app would be allowed access to a
file outside the sandbox is if its jailbroken.

I'm not familiar with the in and outs of iOS LocationManager but it generally
gives you the immediate coordinates at the time you request and nothing more.
As for why the database of locations? It's entirely possible they are using it
for QoS.

As for access to device backups. If someone has unauthorized control of your
desktop computer you have bigger problems.

~~~
crocowhile
They are collecting private information about a person and make them somehow
accessible.

I'll give you an example: now your technologically savvy and pathological
jealous partner can open that file on your phone while you are sleeping and
check where have you been in the past months, day by day.

Iphone users should be aware of that possibility.

EDIT: Actually, now that I looked at the software presented here, it doesn't
even require access to the phone, just to the computer. Your partner can do
this while you are at work.

~~~
edw
Yes, your partner can do this if you let him or her access to your computer's
account. Keep in mind that if you let your partner use your account, he or she
can also look at all your cookies, your browser history, and probably your
Facebook account and Gmail accounts.

If you don't trust your partner and want to rummage through his or her
computer—or if you worry about the prospect of your partner rummaging through
your computer—you may want to go to a couples' therapist.

~~~
crocowhile
>If you don't trust your partner and want to rummage through his or her
computer—or if you worry about the prospect of your partner rummaging through
your computer—you may want to go to a couples' therapist.

Thanks, I am fine. But you should know that a number of marriages do in fact
end badly in the real world and that a tool like this one can give evidence of
cheating and cost a lot of money in a divorce trial. Do I need to make any
more examples of why collection of private information is frequently a problem
in everyday life?

~~~
edw
Yes, evidence is a problem for people who do things that have legal or
economic consequences. Of course, actions often have moral and ethical
consequences even if they leave no evidence behind.

~~~
crocowhile
Are you suggesting that a privacy leak is a concern only for those who have
something to hide?

~~~
edw
No. Are you suggesting that Apple's _highest moral obligation_ is preventing
the collection of data that might conceivably expose their users' wrong-
doing—e.g. their betrayal of their spouse?

To be clear, the collection of the data is only a "problem" if it exposes you
as a liar. And it's not a "problem" for the person who was lied to; it's a
boon. And if you weren't cheating, well, showing your call or location logs
might be a way of saying, "Look, I have nothing to hide."

Privacy vs. disclosure of data is a complicated issue. It involves issues of
personal autonomy as well as trust. Do you give up some autonomy because you
know that people know what you're doing at any moment? Of course. But there is
often a pay-off to doing so: people actually trust you.

Life is complicated, and you can't down-vote moral complexity out of life, no
matter how high your karma is.

~~~
burgerbrain
_"collection of data that might conceivably expose their users' wrong-doing"_

So to answer his question honestly: Yes, you are implying exactly that.

~~~
edw
No, I am not. I wrote, "Life is complicated."

Turn the issue around: how would you feel if Apple bent over backwards to help
your partner fuck other people behind your back and leave no trace?

I don't know why I'm bothering to write this, because you seem resistant to
the concept of moral subtlety, but I will anyway: Studies have been done that
show that morally equivalent choices can be posed in ways that lead to people
using different moral heuristics for making decisions and reliably making
different choices.

People move through the world and leave traces of that movement. Where should
device makers stand on the continuum between recording everything and
distributing it to everyone and recording nothing (and erasing everything it
possibly can) and making sure that no information about a user's actions can
leak out.

Do you understand that this is not a binary choice? Do you understand that
there are outcomes that you and I can agree to call good or bad that can
result from making a decision anywhere along this continuum? Do you understand
that there is no easy solution? Do you get it?

~~~
5l
There is an easy solution. Apple has no business making moral judgements about
my right to privacy. They should do everything in their power to protect it
unless some lawful authority says otherwise in the course of a criminal
investigation.

In such an investigation, your location history could be obtained from the
mobile provider. Therefore this additional data could only possibly be of use
to people who have no right to it in the first place.

So to phrase it in your language; yes, Apple's highest moral obligation is
preventing the collection of unnecessary data about me, and indeed to tell me
what it is collecting, why, and to whom it will be disclosed. In fact, where I
live, all these principles are enshrined in a law called the Data Protection
Act.

In the UK and the wider EU at least, Apple could be in a considerable amount
of trouble for collecting this data.

Edit x2: grammar.

------
jstn
Whether or not this is true, Apple should add something like File Vault to
iOS. Encrypting your backups is redundant if you're already encrypting your
whole home directory, but none of that matters if they have access to your
unencrypted phone. Check out the police downloader devices the ACLU is
investigating: [http://www.aclumich.org/issues/privacy-and-
technology/2011-0...](http://www.aclumich.org/issues/privacy-and-
technology/2011-04/1542)

~~~
hexley
Everything on the iPhone (from 3GS forward) is already encrypted afaik. That's
how remote wipe works instantly (by just deleting the encryption keys)

~~~
r00fus
This is incorrect. Device encryption on 3GS and later devices are only for 1)
Apps that implement Apple's device encryption API (ie, stashPro now has this)
2) If you have a strong password set and 3) Unless you have a device released
with iOS4.x, you will need to wipe, then restore it with the flag turned on

[http://www.tipb.com/2011/03/18/daily-tip-enable-data-
protect...](http://www.tipb.com/2011/03/18/daily-tip-enable-data-protection-
iphone-ipad/)

------
zenocon
About 6 months ago, I left an ipad on a plane. Unsurprisingly, all my attempts
to recover it led to dead ends. I didn't have the mobileme / findmyiphone app
installed on it. I understand privacy concerns, but I'd actually like it if
Apple did have a copy of this db, and they allowed me to proxy through them /
law enforcement so that I could locate this lost device. I know someone has it
b/c I can see they were using my Netflix account.

~~~
minalecs
I think you're looking for something more like prey :
<http://preyproject.com/>

------
aj700
Okay, but do the devices do this if 'Location Services' are turned off.

And I assume Cydia will now get an app that forces them off if the os ignores
the setting.

------
mirkules
Funny, I had to go to a location without internet access, but where I
periodically have to "mark" where I am so I can reference it later. I was
about to write my own app for this purpose when I saw this post. To boot, I
had my iPhone on me the last few days anyway, so this will definitely come in
handy.

Despite the utility I got out of this, I wish we would be told about it...

------
plainOldText
I can imagine a jealous spouse saying now to the other "i love you so much
honey and from now on i will do your iphone backups. Just to make sure
everything is safe for you" Then the jealous spouse downloads the iphone
tracker visualization tool: "So honey, where were you last night? Really ?
Dont you dare lie to me" :)

------
acrum
The simple solution is select encrypt backups in your iTunes options. If my
computer or phone got stolen, I'd have more important things to worry about
than whether the thief can find a list of locations I've been. It's
fun/interesting to see it mapped out though.

~~~
travisp
You may not worry about this, but others might (and I can think of scenarios
where this would be a very bad thing), and it certainly isn't apparent to most
people that if your phone gets stolen, the thief has access to your location
history.

~~~
acrum
Well, it probably wasn't apparent to many (or any) thieves either, but it is
now.

Anyway, of course I'd agree it's worth fixing on Apple's part. In the
meantime... hold onto your phones, I guess?

~~~
edw
Yes, good point. Note to self: don't accidentally lose phone.

------
edw
Does no one else agree with me that this is awesome? I love being able to
visualize my comings and goings. It's the story of the last year or so of my
life, in colored dots.

I hope Apple doesn't respond to the "outrage" by no longer collecting this
data. To a first order approximation, I am with Scott McNealy over in the
"Privacy?! Get over it" camp:

<http://www.wired.com/politics/law/news/1999/01/17538>

As an aside, can real outrage even exist anymore in this age of the easy forum
post or re-tweet or tumblr entry or Facebook post? And if it does, how do you
identify it? And if you can identify it, what does it mean?

~~~
flipbrad
if the feature was opt-in it might, conceivably, be called awesome. But not
being told that my iDevice will log my every move _and_ leave this data open
to the next johnny-come-lately to get his hands on my device? Terribly uncool.
Logging should be a setting, or better, an app. Not a hidden, no opt-out
feature imposed on over a hundred million iDevice owners.

~~~
calloc
Set up a passcode, now they can't access the data on your phone unless they
have the passcode, or your iTunes plist file ...

------
templaedhel
From what I understand, at least with google, this data (the data sent
anonymously) is used amoung other things, for the maps traffic feature. If a
fair number of phones are traveling below the speed limit on a road, it can be
assumed that the traffic is bad on that road. Not sure if the apple data is
used for that, or if they get the traffic data from google, but it is one
legitimate use.

------
Limes102
When I read this I simply had to try it out for myself and quickly plot the
data. It's a nice reminder of the places I have been over the past year.

I don't mind that Apple have saved the information on the device, what I mind
is that they haven't given us an option to clear the logs or to actually
visualise the data directly from the phone.

------
polar
Not news at all to someone in the digital forensic community:
[https://alexlevinson.wordpress.com/2011/04/21/3-major-
issues...](https://alexlevinson.wordpress.com/2011/04/21/3-major-issues-with-
the-latest-iphone-tracking-discovery/)

------
xsmasher
I assume Apple collects this data to pass back to skyhook so they can update
their database of wifi-to-geolocation data. Must be nice to have millions of
sensors roaming around collecting data for you.

~~~
thought_alarm
Other way around. It's a cache for CoreLocation, and the location data comes
from Skyhook.

~~~
xsmasher
Interesting - Apple's filing says they dropped skyhook in 3.2 and switched to
their own database... using this data.

[http://arstechnica.com/apple/news/2010/07/apple-responds-
to-...](http://arstechnica.com/apple/news/2010/07/apple-responds-to-congress-
swears-location-data-is-private.ars)

------
dgulino
A workaround for hacked iOS devices:

[http://technicalmusings.blogspot.com/2011/04/ios-
consolidate...](http://technicalmusings.blogspot.com/2011/04/ios-
consolidateddb-workaround-for.html)

------
kovar
Apple license agreement covering the collection of location data -
<http://pastebin.com/EdFJr6iU>

------
ramynassar
This has been happening for a long time, has it not?

------
sambeau
If you have a 3G device the cell towers already know this and the data is
already tracked. So what is new here?

~~~
rdouble
The data is in an unencrypted file on your device and synced computer, instead
of in a database at AT&T.

------
jawngee
Jailbreak + cron + rm

~~~
jschrf
Best be cronning every minute or so, because unfortunately you can't rm on
Apple's servers.

------
gpambrozio
Apple has been known to collect this information for a while now [1] but
storing all this information in a database should not be required for this.

If you tuink about how much information you have on your phone, if somebody
has access to it or to your backups, I think your locstion history is the
least of your problems. But I do agree that it should not store this
information, encrypted or not...

[1] <http://news.cnet.com/8301-31021_3-20010948-260.html>

------
BigZaphod
If the man really wants your location, he can just ask the phone company.

~~~
jeffreyg
'the man' could always get that info, sure. but now, anyone with access to
your phone or computer can.

~~~
trotsky
Including anyone that hacks into either, and they wouldn't even have to
install anything suspicious to do location tracking or even have compromised
your phone during the period they were interested in.

------
uptown
All of this from a device which prevents you from ever removing its battery.

