A computer forensics expert says iOS data locations logs are neither new nor nefarious.
The claims are made in a long blog post by Alex Levinson, senior engineer for Katana Forensics, which develops Lantern, an iOS forensic analysis application. Levinson's post is a response to a presentation this week by Alasdair Allan and Peter Wardman at the O'Reilly Where 2.0 conference.
As reported yesterday, the two programmers presented details of an iOS 4.0 database file, usually unencrypted, created on the iPhone and then synced to a user's Mac. This file contains thousands of time-stamped latitude and longitude pairings, apparently based on cell tower triangulation calculations. The data is a very detailed track of where the iPhone (or iPad or iPod Touch) has been. The programmers created an open source application, called iPhone Tracker, that plots the data on a map, so the user can see the track of the device's locations.
In his own blog post, Wardman notes and links to a comment by another forensics researcher that this "consolidated.db" file will be familiar to forensics researchers, that is, to people like Levinson. But it was clearly new to Allan and Wardman, who were startled at how much location data the file contained. Wardman even acknowledged another attempt in the fall of 2010, by a French writer, to popularize a wider awareness of this iPhone data file.
Levinson argues that Apple is being "completely misrepresented" by the two men, and that the file is neither new nor secret. Levinson says he discovered and wrote about it in a research paper and book months ago.
Levinson baldly asserts that "Apple is not collecting this data." His disagreement with Allan and Wardman may be a matter of differing definitions. The two programmers assert the location data collection on the iOS device is "intentional," which seems hard to deny given the fact that all agree there is a database file that stores a great deal of exactly this kind of data, and, as Allan and Wardman point out, the file is preserved across multiple backups.
Levinson seems to define "intentional data collection" as "Apple pulls this information from your personal device over a network connection into its own servers." He says there's no evidence this is happening. Allan and Wardman say the same thing: no evidence.
Levinson expands on why this data is being collected at all. "Built-In applications such as Maps and Camera use this geolocational data to operate," he writes. "Apple provides an API for access to location awareness called Core Location." He quotes from Apple's description of this software library: "... You use the classes and protocols in this framework to configure and schedule the delivery of location and heading events. You can also use it to define geographic regions and monitor when the user crosses the boundaries of those regions."
Contrary to Allan and Wardman, Levinson says this file existed before iOS 4.0: it simply had a different name, and it was hard to access even for forensics specialists. What changed in version 4.0 was that Apple allowed programmers to do some limited multitasking in iOS.
With iOS 4.0, Levinson says, "Apps now have to use Apple's API to operate in the background. ... Because of these new APIs and the sandbox design of 3rd party applications, Apple had to move access to this [location] data."
"Users still have to approve location access to any application and have the ability to instantly turn off location services to applications inside the Settings menu on their device," he points out. But behind the scenes, the actual logging of the data continues, even though a given application may be barred from using it.
Finally, Levinson lays out in very detailed fashion his own research in this area, starting in 2010. One fruit of the research is a paper, "Third Party Application Forensics on Apple Mobile Devices," which Levinson co-authored and presented earlier in 2011. Among other things, it describes the consolidated.db file.
Levinson also contributed to the book "iOS Forensic Analysis for iPhone, iPad and iPod Touch," primarily authored by Sean Morrissey and published by Apress in December 2010.
John Cox covers wireless networking and mobile computing for Network World.
Blog RSS feed: http://www.networkworld.com/community/blog/2989/feed