Security researchers have discovered that iOS devices have been saving the locations of users' devices at regular intervals, and storing them in an unencrypted, though hidden file. The data includes locations and time stamps, and is apparently intentional: the database is backed up, and restored across backups, and even onto a new device if a prior one is replaced.
The fact that it's backed up also means its stored on your computer via iTunes when it does a backup, means that for many, it's also on their computer in unencrypted form. A first step for any users of iDevices to take is to check the checkbox in iTunes that encrypts your backups. Based on the longevity of the data stored, the researchers, Pete Warden and Alasdair Allan, believe the data gathering to have begun in iOS 4.
Allan and Warden were to present their findings at the Where 2.0 conference in San Francisco on Wednesday. The file, "consolidated.db," contains latitude-longitude coordinates along with timestamps. It's unclear how the coordinates are generated, and the timing of the records appears erratic. Warden and Allan theorize that the updates are triggered by traveling between cells or device activity.
The researchers also checked other platforms. Warden said,
"Alasdair has looked for similar tracking code in [Google's] Android phones and couldn't find any. We haven't come across any instances of other phone manufacturers doing this."
Since the file is moved across devices and backed up and restore, the researchers believe there might be some still unreleased feature in mind:
"Apple might have new features in mind that require a history of your location, but that's our specualtion (sic). The fact that [the file] is transferred across [to a new iPhone or iPad] when you migrate is evidence that the data-gathering isn't accidental."
The data does not seem to be transmitted to Apple itself, but the fact that it is on stored on the phone means anyone with the means can look at it, if the phone is lost.
[In fact, the researchers provided a Mac OS X tool to examine your backups and look at the data (here)]
Most don't believe Apple is attempting to track users' info for malicious purposes. Rather, as Simon Davies, director of the pressure group Privacy International, said:
"The absence of notice to users or any control option can only stem from an ignorance about privacy at the design stage."
Davies also added,
"This is a worrying discovery. Location is one of the most sensitive elements in anyone's life – just think where people go in the evening. The existence of that data creates a real threat to privacy."
It's unclear, actually, if the disclosure of this stored location information was not made clear by Apple previously. In a letter to two Congressman dated July of last year, Apple discussed the location-based information they gathered.
Clearly, however, Apple didn't detail the fact that they were storing the information "in the clear" (unencrypted) or that it was backed up onto computers when an iDevice was synced. They also did not indicate that there (apparently) is no limit to the length of time such data is stored.
While this is obviously going to cause privacy concerns, Apple and other smartphone vendors all have provisions in their Terms of Service that allow for them to track users' locations. The issue in this case, really, is the "in the clear" nature of the data, as well as the fact that Apple didn't "really" tell anyone about the file.
In the following video, Allan and Warden discuss how the file was discovered and examine the data contained in the file.