Location based services are making the best of the GPS and A-GPS capabilities of modern day smartphones. The secret of those who've faking locations to win FourSquare Checkins to earn the Mayor batch using iPhones could be unleashed any time. Two Security Researchers - Pete Warden, Founder of Data Science Toolkit and Alasdair Allan, Senior Research Fellow, University of Exeter, have discovered that the Apple iOS 4.x mobile operating system keeps a log of user's location for iPhone and iPad. Even if you haven't been any using any of those location based services, the device still keeps a secret log of your locations along with timestamps on the device itself.
Nothing sounds creepier than the fact that you are being watched, secretly. According to Warden and Allan, the iPhone and iPad keeps a secret log file inside the iOS 4.X operating system with a log of user's location - latitude and longitiude co-ordinates along with the timestamp. According to both, the user's location datalog is stored in a file called consolidate.db and the entire location logging started from iOS 4.X update.
Allan wrote:
What makes this issue worse is that the file is unencrypted and unprotected, and it's on any machine you've synched with your iOS device. It can also be easily accessed on the device itself if it falls into the wrong hands. Anybody with access to this file knows where you've been over the last year, since iOS 4 was released.
As of now, both aren't openly speaking about how the device keeps a track of the location - using GPS or on cell-based triangulation.
Almost a Security Researcher Stefan Esser talked about the Address Space Layer Randomization to jailbroken iPhones and brought to light that jailbroken iOS devices were more prone to remote exploits than a non-jailbroken one. As Allan mentioned, the consolidated.db is unencrypted and unprotected so any nefarious hacker could get a copy of that file to track user location.
Apple iOS 4.3.2 did come with some security updates but as of now, there's no word on whether the consolidated.db file is encrypted/protected or not. Its not sure if Apple intends to store such data on the user's device.
It's not just Apple because even Android by default keeps the Location API for your Android turned on whenever the device is booted. Those who wish to check, can go to Settings>Applications>Services (common for most Android phones). Over there, you'll find Google's Map service active in them. Over here, premise is that the Android device supports A-GPS.
Take a look at the video where Warden and Allan talk about the iPhone's location logging.
Nothing sounds creepier than the fact that you are being watched, secretly. According to Warden and Allan, the iPhone and iPad keeps a secret log file inside the iOS 4.X operating system with a log of user's location - latitude and longitiude co-ordinates along with the timestamp. According to both, the user's location datalog is stored in a file called consolidate.db and the entire location logging started from iOS 4.X update.
Allan wrote:
What makes this issue worse is that the file is unencrypted and unprotected, and it's on any machine you've synched with your iOS device. It can also be easily accessed on the device itself if it falls into the wrong hands. Anybody with access to this file knows where you've been over the last year, since iOS 4 was released.
As of now, both aren't openly speaking about how the device keeps a track of the location - using GPS or on cell-based triangulation.
Almost a Security Researcher Stefan Esser talked about the Address Space Layer Randomization to jailbroken iPhones and brought to light that jailbroken iOS devices were more prone to remote exploits than a non-jailbroken one. As Allan mentioned, the consolidated.db is unencrypted and unprotected so any nefarious hacker could get a copy of that file to track user location.
Apple iOS 4.3.2 did come with some security updates but as of now, there's no word on whether the consolidated.db file is encrypted/protected or not. Its not sure if Apple intends to store such data on the user's device.
It's not just Apple because even Android by default keeps the Location API for your Android turned on whenever the device is booted. Those who wish to check, can go to Settings>Applications>Services (common for most Android phones). Over there, you'll find Google's Map service active in them. Over here, premise is that the Android device supports A-GPS.
Take a look at the video where Warden and Allan talk about the iPhone's location logging.
No comments:
Post a Comment