updated 4/20/2011 9:47:53 PM ET 2011-04-21T01:47:53

New security research has revealed that the iPhone and iPad 3G tracks and stores the location data of its users, charting their every move in a hidden file on the device.

It's a finding that has some security experts up in arms, while others are left unsurprised at Apple's seemingly intrusive behavior.

Your iPhone knows exactly where you've been

Every time you sync your iPhone or iPad with your computer, the location data -- latitudinal and longitudinal coordinates and time stamps -- is stored in a file called "consolidated.db." on the device as well as on the computer, according to researchers Alasdair Allan and Pete Warden, who made their findings public at the Where 2.0 conference today (April 20) in Santa Clara, Calif.

"What makes this worse is that the file is unencrypted and unprotected, and it's on any machine you've synced with your iOS device," Allan, a senior research fellow at the University of Exeter wrote. "It can be easily accessed on the device itself if it falls into the wrong hands."

The location log, however, is only stored on the device and the computer it's synced with -- meaning unless someone gets a hold of your iPhone, the "pretty detailed" running tab of your whereabouts is safe. The tracking began in June 2010 with Apple's iOS 4 update, but Allan and Warden don't believe Apple is collecting the data.

"Don't panic," Allan assured. "There's no immediate harm that would seem to come from this availability of this data. Nor is there evidence to suggest this data is leaving your custody. But why this data is stored and how Apple intends to use it -- or not -- are important questions that need to be explored."

Can your grandmother reconfigure a phone's encryption?

Although the logged location data cannot, at this point, be erased from the phone or computer, Allan wrote that the data can be encrypted: with the iPhone or iPad plugged into the computer, users can click on their device in iTunes and select "Encrypt iPhone Backup" under the "Options" tab.

It's a nice gesture, but it's too little, too late, according to Steve Santorelli, director of global outreach at Chicago based Internet Security Research group Team Cymru.

"There’s no use having encryption and not turning it on by default." Santorelli told SecurityNewsDaily. "Having security systems incorporated into a product but requiring an end use to enable them is where consumer security was about 10 years ago.

"My grandmother knows how to use an iPhone but she doesn’t know how to reconfigure the encryption," he added.

Santorelli said he is "surprised that any personal identifiable info, especially something as sensitive as where you've been," is logged and stored without users' knowledge or consent.

"This is fundamental security 101 and it's also an ethical issue," Santorelli said.

If your location data is used, does it matter?

So there's a tally of everywhere you've been that's now stored -- though seemingly unharried -- on your iPhone or iPad.

"The potential uses of this data without end user permission, for marketing and nefarious, malicious purposes are very great," Santorelli said.

But just how dangerous is this?

All cellular carriers keep track of the whereabouts of each phone connecting to their networks; the records can be subpoenaed in both criminal and civil court cases.

According to George Smith, senior fellow at the security website, having a device that knows where you are is simply a part of what it means to stay connected in a world of targeted marketing and intrusive social networks.

"Location has monetizeable value," Smith told SecurityNewsDaily. "Regional ads for goods and services, for example, can be tied directly to it."

Who else knows where you've been?

What other big name companies besides Apple are in the game of knowing and using your location to their advantage?

"Facebook does this. Almost all the social networking sites, unless you're using an anonymizer, suck up your location if they can get it," Smith said.

That the iPhone and iPad stores your location data isn't a development at all, Smith said.

"It's just more of the same thing everyone does if they can get away with it," Smith said.

© 2012 SecurityNewsDaily. All rights reserved


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments