A pair of programmers has discovered that iOS 4 devices are regularly recording their positions to hidden files, which reside on the devices and are transferred to any computer the devices are synced with during backup. Alasdair Allan and Pete Warden report for O’Reilly that while working on data visualization projects, they discovered a file “consolidated.db” that contains latitude-longitude coordinates along with a timestamp, and while the coordinates aren’t always accurate, they are rather detailed. According to the report, it appears that the location collection started with iOS 4, and thus the file could potentially contain tens of thousands of data points, or an entire year’s worth of movements.
The pair note that the file is unencrypted and unprotected, and have contacted Apple’s Product Security team, but have yet to hear back.
As noted in our forums, Apple appears to have moved away from Skyhook and to an internal location database/detection service as of iOS 4. Given that users of Wi-Fi-only iPads and iPod touches have reported an ability to fairly accurately determine their location in situations that would prove challenging for an actual Skyhook-based system—such as in a moving car, with no Internet access available—it appears likely that iOS 4 devices are relying on this internal database to provide users with approximate location data even when no such data would normally be available.
For those interested in seeing their own data, Allan and Warden have created a free Mac OS X application called iPhoneTracker that will automatically search the computer for any location files and display them on a timeline-enhanced map.
Update: The authors of the report have added a new section entitled “Who has access to this data?,” in which they state, “there’s no immediate harm that would seem to come from the availability of this data. Nor is there evidence to suggest this data is leaving your custody.
