The internet was nearly broken in two this morning on the revelation from Pete Warden and Alasdair Allan that there has been a hidden file in iOS 4 that has been recording the locations of where your iPhone or iPad has been as you’ve been using it. They released an open-source application for the Mac that demonstrates the existence of this data and how easy it is to get to. Basically, the application scans your iOS device backup files and displays any location history graphically on a map.
If your reaction was anything like mine it may look something like this:
After all, isn’t this the stuff of Orwell’s 1984 and Skynet? How dare Apple have this data without my permission!
Well, if you think about it, you actually did give them permission when you agreed to Apple’s terms of service:
Apple and its partners and licensees may provide certain services through your iPhone that rely upon location information. To provide and improve these services, where available, Apple and its partners and licensees may transmit, collect, maintain, process and use your location data, including the real-time geographic location of your iPhone, and location search queries.
You know how everytime you want to use the GPS on your iPhone you have to press the “OK” to do it? That’s what’s being logged. What’s a little more disturbing is the fact that there’s also a log of where you’ve been based off of cellphone tower triangulation. (Yes, like how Chloe finds people on 24) This is location data gathering that is done without your permission. You can’t turn this off because it’s not based off of GPS — it’s based off of simply using any cellular services. You can, however, simply turn off your iPhone or iPad to prevent your location from being logged.
However, this isn’t as nefarious as it seems because it turns out that your wireless provider (AT&T/Verizon/etc.) have logs of all that stuff too. It’s just required a court order for someone to access that information. In fact, iPhone hacker Jonathan Zdziarski says that the iPhone has been logging this information for awhile now (even before iOS 4 was released)
Now, it’s still not extremely easy to access this information even if you know that this “hole” exists. You still have to get access to the person’s computer or iPhone. Having someone else’s computer and/or phone will be a huge privacy risk no matter what. Nevertheless, someone intent on exacting revenge on you will have an easier time finding your location history if that’s the kind of thing they’re looking for.
So what can you do to protect yourself? The first and easiest thing you can do is to simply check the box that says “encrypt iPhone backup” in iTunes. This will make it infinitely tougher to extract any sort of data off of the device’s backup file.
However, that leaves the actual device itself at risk and there’s not much you can do to encrypt the data on that. The good news is that someone will have to write some pretty involved and specific exploits to get at you. Malicious App Store apps will not be able to get at the file.
According to a security expert talking to Ars Technica:
“This file is only readable by root. That means that a rogue App Store app won’t be able to read it. Even a bad guy who hacks into your browser won’t be able to read it,” Miller told Ars. However, remote hackers can make use of two separate exploits—a code execution exploit and a privilege escalation exploit—which Miller points out have been available before in the form of jailbreakme.com (a tool that allowed users to jailbreak their devices through a Web page on the Internet).
The worst thing about this “fiasco” is simply that it increases the risk of your data to people who want to get at you. It’s a legitimate concern, but it isn’t devastating news. (Unless you are Tiger Woods and have a lot of locations that you want to hide from your wife and/or private investigators.)
Warden and Allen’s discovery essentially shows that Apple didn’t think things over completely when they decided to keep such a easily accessible location log on the device and computer backups. It’s going to end up being PR nightmare for Apple, but if any company has the chops to spin and control the issue — it’s Apple. Let’s just hope they plug this security risk quickly and give us a good reason for why this data was a) on the devices in the first place and b) why it is so easily accessible in iOS4.
In the meantime, just try not to do anything nefarious with your iPhone turned on.
Washington DC to New York from Alasdair Allan on Vimeo.
