iOS 4 stores a history of your whereabouts in an unencrypted file
By Ben Coxworth
April 20, 2011
If you own an iPhone or 3G iPad running iOS4, then you might be interested in knowing that the device has been keeping a record of your travels in a hidden, unencrypted file. Users do not opt into using the service, the database is restored after backups, and it migrates onto other synced devices. While no one is necessarily accusing Big Brother Jobs of watching you, it is a curious feature, and one that could pose a security threat to some users.
As first reported this morning by tech bloggers Alasdair Allan and Pete Warden, the record consists of a list of latitude-longitude coordinates and time stamps, outlining where your device (and presumably you) has been. As it appears to have started with the introduction of iOS4, there will currently be about a year's worth of travels within the file. It is guessed that the device's location is determined by cell-tower triangulation, and is updated when the device is used, or by traveling between cells.
The data is contained in a file labelled consolidated.db, which is unencrypted and accessible to anyone with access to your device – provided they know where to look. In an explanatory video on the O'Reilly tech blog, Allan and Warden state that users can address the problem by encrypting their backups through iTunes. The pair also offer an application that allows users to see the existing database on their own device.
There is currently no indication that the data is being sent to Apple, or any other parties. Phone companies already collect the same information, but it is inaccessible to outside parties without a court order. Applications such as Foursquare and Mobile Me also track the device's location, but users must opt-in to use them.
At the time of this posting, Apple's Product Security team has reportedly not responded to Allan and Warden's inquiries.
Update: Alex Levinson has published a blog post explaining, among other things, that this discovery is not new.
Just enter your friends and your email address into the form below
For multiple addresses, separate each with a comma