Hacker News new | comments | show | ask | jobs | submit login
Android location service cache dumper. (github.com)
69 points by packetlss 2164 days ago | hide | past | web | 46 comments | favorite


It appears that unlike Apple, this isn't unlimited:

    // Cache sizes
    private static final int MAX_CELL_RECORDS = 50;
    private static final int MAX_WIFI_RECORDS = 200;
Edit: Seems like another very important difference is that the Android cache only keeps track of your last timestamp at a given tower. Even if this cache was unlimited it couldn't be used to plot someones position over time.

> Seems like another very important difference is that the Android cache only keeps track of your last timestamp at a given tower.

This is true of the iPhone cache as well. See http://news.ycombinator.com/item?id=2467895

You may be right but this user seemed to plot a graph with "most often" visited places: http://www.southbayriders.com/forums/showthread.php?t=108489...

The unlimited size of Apple's cache is probably just a mistake. It makes no sense to store it on the device for tracking purposes. I assume they log this info when the device requests the info from Skyhook (or whatever location provider they have now) anyway.

I can confirm that the Android cache.cell and cache.wifi lists are very limited. I just checked mine using your parse.py, and was only able to see 50/200 total records respectively. My cell data only went as far back as 13 days ago.

"The unlimited size of Apple's cache is probably just a mistake."

I think this is what concerns people most. This "mistake" has your triangulated location based on cell towers tracked for years and years, across multiple devices, when there really is no recognizable need to store/cache this much location data for this long. It seems, judging by the above linked source-code, that Android has it right on this one.

I ran the program and looked at my iPhone dump, and it is not that exact and I live in NYC. It truly appears to just tag position of towers. Where it shows the dots for me is not exact or even close positions most of the time, and even locations that I've never been to but the nearest tower I must've connected to.

Which is helpful for me since I've long suspected AT&T has a dearth of towers in my section of the UES, maybe I can get a microcell out of this, haha.

Apple's consolidated.db is not a "mistake". A mistake would not have gotten rewritten for iOS 4 when the database got converted from XML to SQLite and moved to user data.


Also iOS no longer uses Skyhook as of iOS 3.2. Plus Skyhook is for Wifi access point location data, not cell-tower location data. Apple uses its own database for that now which you consent to update with your location data. http://www.f-secure.com/weblog/archives/00002145.html

> A mistake would not have gotten rewritten for iOS 4 when the database got converted from XML to SQLite and moved to user data.

If they are using CoreData as the storage engine, it is possible they changed backends without ever looking at what was stored in it.

I'm guessing you knew that Android has a cache that rolls over prior to posting - were you just trying to stir up discussion/controversy with the misleading headline?

I did. The title wasn't meant to mislead though. More of a tongue-in-cheek remark. Hence having "tracks" in quotes. Personally I think the whole "OMG APPLE TRACKS US!!" thing going on is overblown.

Looking at it now I guess it can be seen as misleading. It wasn't my intention though.

edit: changed the title ..

     "OMG APPLE TRACKS US!!" thing going on is overblown
It isn't -- consumers should be aware that these services represent a net loss for their privacy on the long term.

If a device tells you that it is tracking you; eventually giving you the possibility of opting out, deleting all tracks of you on request, then it's fine by me. But otherwise it isn't, and this practice should really stop.

And here I was a couple of months ago, thinking about how cool / evil would be to make an app that tracks someone's route for spying purposes (like your girlfriend for example). Apparently iPhones give it away for free, no extra work required ;-)

Wow.. I didn't even think of this angle. Think of how many jealous boyfriend/girlfriends there are with complete access to their mate's iphone. :/

Not only jealous boyfriends -- give your employees iPhones, and they'll surely synchronize it at least once a month on your company's computers ;)

Phones with GPS incorporated can be mindbogglingly evil -- just think about the costs involved in hiring a private eye to track the daily route of someone, day after day, for a whole month. People don't do it because of the costs involved and because an incompetent can blow away his cover.

iPhones are equipped with GPS, and that data is there, waiting for you to retrieve it. You don't have to do anything special about it -- you just have to gain access to that iPhone somehow.

I'm not accusing Apple of anything, I really think it was just a minor slip-up on their part. But these things are dangerous ;)

Except, if the employee never uses any location services on the phone, none of the data is ever created/stored in the first place ... at that point you still have gained nothing.

The only records I have for example are from when I explicitly had Google Maps open, no other program on my iPhone has my permission to use the location based services, and as such it didn't track where I was going at all.

That's not really true... the iphone tracking happens regardless of location settings or applications.

The location controls do not affect it at all.

The latest entry in any of the tables on my phone (and I've been out of my usual locations for a while now) (CellLocation, WifiLocation) are from almost 4 days ago, which is the last time that I used Google Maps to get directions to chines buffet I was meeting a co-worker at.

If this was being tracked even when using non-location services wouldn't that be updated every time I pass by a new cell tower? Wouldn't it know about the trip I made with a co-worker to a town I've never been to before?

Can you point me where in the tables there is data (based on timestamps) that is updated more often and kept around?

You don't necessarily even need their phone, you could use your own phone as the tracking device and have the person willingly, but unwittingly deliver the data. Just "forget" your phone in their car before you suspect something and after a the suspected event, ask for it to be returned.

Knowing you've been in Göteborg, Sweden recently is one thing (or at least that's what the test data says), but location history going back the device's lifetime is another.

It makes no sense to store it on the device for tracking purposes.

It would make sense to store this information on a server, so why aren't they? Is it a mistake, or are there laws that preclude this? Maybe it's track now, figure out what to do with it later. The data is extremely valuable.

Isn't it possible to plot someone's position over time, no matter what phone you have? I mean the carriers know which towers you've connected to and when, they have all the info you need to track someone, even across multiple phones.

sure, but physical access to someone's phone is a lot easier than being a carrier.

It appears that you can also delete it by doing a "Clear Data" for the location service in Settings application list.

I don't understand the outrage on this-- your wireless carrier probably has an identical file somewhere as well. At least you have a copy of it.

My suggestion: for the next YC application, invent a way for people to sell this data back to marketeers. I'll sell my data for a lot less than what Apple's or AT&T are charging.

> your wireless carrier

and only your wireless carrier. Now anyone who you lend your phone to while you take a bite to eat can read your location data. Or Apple. Perhaps if it's not encrypted, and there's an iOS vulnerability, anyone could read the data. Not just your wireless carrier.

That's why this is a big deal. Why store this data? If it most be stored, why has no effort been put in to keeping it safe? Just because one company could read it before doesn't mean that it's okay others can too. We naturally assume (and rightly so) that our wireless carriers can and do track our every move. But we "trust" them; we sure as hell don't trust anyone else.

Edit: And it's even creepier that this was secret. It's not like we're getting mad at official Apple TOS or policy; they didn't tell us they were tracking our location and storing the data forever and ever. Fuck that, that's scary and unpleasant.

The FBI has my FBI file and only the FBI file. By this logic, I shouldn't FOIA for my FBI file because someone could break into my house and steal it.

Also, I carry a lot more sensitive information on my phone than the cellphone towers it talks to-- I suspect this is the same for most people. Anybody that's installed, say "Mint" on their iphone, has used the "email" application, or sent the occasional drunken SMS message probably has a lot more to worry about than the location data stored on their phone.

I guarantee you I protect the data on my phone a lot more than Apple does. Apple sells it. Here's an opportunity for me to sell it too.

the problem i have with this is given the recent michigan ruling saying police can dump, retain, and peruse data from a cell phone during a traffic stop, this gives access to far more data than should be possible without a warrant, without "physical possession of the phone" in the sense of actual seizure.

I don't think anyones concerned that it tracks you with cached data (47 entries in github example, date spread would imply ~ 1 month) -- the concern w/r/t apple is that there seems to be no limit to the amount of logging retained.

I won't get into paranoia mode, or conspiracy theories, _but_ I am fine with either phone being aware of my location, and even my recent movements (subject to disclosure) -- I am NOT fine with that log being undisclosed and perpetual

Except it's not tracking your location, it's tracking cell towers. I'm sure a lot of cell phones do this, to a different degree of "log length". The issue I have with a perpetual log of cell towers is not a privacy one, it's a space one (how long will the log be in a couple of years).

But hey, I'm not stopping anyone from hopping into the most recent episode of the iPhone hating bandwagon. It's what makes the internet go round (any hate bandwagon for that matter)

> Except it's not tracking your location, it's tracking cell towers.

That's true in the sense that mercury thermometers do not measure temperature -- they measure the height of a column of mercury.

And it'd be fine if I didn't track your location, but simply timing data you are receiving from a few GPS satellites?

Granted.. it is not tracking your fine location, but rather the location of the towers you connect to. Your location, however, is still reliable to within 200-1000m with triangulation.


during the cold war the secret police job was at least somehow interesting and romantic

now it's all about a pair of sql queries or regexps.

"You will need root access to the device to read this directory."

It's not even in the same realm.

Why? You need the user's iPhone or their computer in your physical possession to read the iOS location cache.

I thought normal users (who haven't rooted their phones) wouldn't have easy access to the root filesystem. I just looked on my phone (just by plugging it into my computer and putting it in filesystem mode), and looked, and I don't see the folder he's talking about.

Am I wrong? I'm not really sure about this.

Because I can grab your phone, plug it in and have all of your history. If you grabbed my phone running 2.3.3 on the Nexus S... it would be impossible to get to that data without going through the entire bootloader unlock process which is obviously invasive.

Imagine scenarios where people are reading your location data. Authorities, governments, espionage... all of them would be largely foiled due to the fact that root access is required and gaining that root access would leave trails.

Do I really have to explain the difference between data easily accessed via usb and data that is stored in protected areas of the rom on an Android device? Spot on with your comment voting there HN. Thanks as usual.

> Because I can grab your phone, plug it in and have all of your history

OK, but you've already got my phone!

Authorities and governments aren't foiled, they just got to AT&T and get the data from its source (where, incidentally, I can't have tampered with it).

As for espionage, I rather suspect the CIA and its foreign counterparts can figure out a way to root my phone quietly.

It's a cell phone. Much easier to misplace, lose, have fall out of your pocket, etc than any other computing device.

Again, it's not in the same realm considering that it's protected inside the ROM of the phone. Even if you HAD my Android phone, it's not game over. Please, go buy a Droid X, upgrade to the latest OTA rom for which there is no root exploit.

Then try to get into the (already very limited) timestamp/tower data on my phone. You won't be able to. That's my point. On the other hand, with your iPhone, like I said, "I've already got your phone" and it's game over for your location data.

How about just girlfriends, bosses, etc? Anyone with a usb cable and another mobile phone or laptop knows (roughly) exactly where you've been going for months.

As the owner and user of an Android phone, great, just great.

Let's ask the so-far unasked question: Why? Both Google and Apple built in location-caching. Seems mighty suggestive of something, maybe something like the color printer Mysterious Yellow Ink dots (http://www.instructables.com/id/Yellow-Dots-of-Mystery-Is-Yo...).

I'm assuming caching cell towers and wifi improves performance. An unlimted cache is a bad thing, a limited cache is a good thing.

I'd argue that is it neither, but is instead so that both Apple and Google can eventually offer localized and personalized marketing dependent on the area that your phone is reporting that you are in or have been in fairly frequently. An example would be giving you a discount code for that restaurant that you have passed by 4 times in the last 2 weeks at around dinner time. This is part of my theory about why apple is building the enormous data center in NC.

Do you have any evidence for this interpretation over the technical explanation offered? Why believe this hypothesis over any others?

There are already apps that do this -- check in at a location, get a special deal.

Meanwhile, it seems the location DB is basically just a bog-standard cache to speed up the AGPS. Can we stop flipping the fuck out now?

I may be wrong but looking at the code and example data it seems that the Android cache only keeps track of the latest time stamp at a given cell tower so it wouldn't know the frequency of visits in an area. This is definitely a possibility for the iOS cache but I can't imagine this would bode well for the privacy-conscious folks.

I agree, but at the end of the day anyone that is that concerned about their privacy and even remotely tech savvy will be able to find a way to opt out. A friend sent me the below article about a utility for jail broken phones that can be used to get rid of the tracking data. In regards to the Google data, does it appear to you that the latest timestamps are transmitted anywhere? The way Google rolls I would speculate that they would use timestamps and location with their amazing maps resources and cloud storage to independently store all of the metrics.


I wonder: do they pay to access the Skyhook API on a per-hit basis?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact