iOS 4.3.3 Arrives with Fix for "Secret" Location Database


Apple just released an update to its iOS operating system for iPads and iPhones. After the “scandal” around the discover of a location database on the iPhone 4 and 3G-enabled iPads, Apple promised to quickly fix this “bug” quickly.

Here are the changes according to Apple:

This update contains changes to the iOS crowd-sourced location database cache including:

* Reduces the size of the cache
* No longer back the cache up to iTunes
* Deletes the cache entirely when Location Services is turned off

It doesn’t look as if there are any other new features or changes to Apple’s terms of service, but as you know, it’s always best to read through these documents before you agree to them…

10:45 am

Why Security Researcher Who Discovered iPhone Location Data Long Ago Almost Went Unnoticed


As more information about the “secret” location-data file on Apple’s iPhone 4s and iPad 3Gs becomes available, the story surrounding this discovery is becoming more about the people involved than the location data itself. As it turns out, Alex Levinson, a student at the Rochester Institute of Technology, had long discovered this file in his research and work with forensic firm Katana Forensics. Katana Forensics produces a tool called Lantern, which can extract this data and map it in Google Earth’s KMZ format. Levinson also presented his findings in an IEEE journal all the way back in 2007. So why did the blogosphere and mainstream press go crazy about this affair yesterday (including me) and why was Levinson, who emailed virtually all major publications about this yesterday afternoon Pacific Time, ignored by all but a few outlets (again: including me)?

Note: a lot of this is inside baseball about how the blog sausage is made. If that’s not of interest to you, here is the tl;dr: Levinson’s email to the press was flawed and his research was only available in academic publications.

Why Was Levinson Mostly Ignored?

Talking to Gigaom’s Bobbie Johnson, Levinson explained his findings in detail, but also made this observation:

He adds that the press missed the story first time around, and now seems more focused on the horror of data storage than the reality (there, for example, is no evidence that the data is sent back to Apple at the moment).

‘I do blame the press somewhat for sensationalizing them without recourse,’ he says. ‘I emailed 20 of the top media outlets who covered this, linking them to my side — none of them replied, except a famous blogger who cursed me.’” (my emphasis)

To his point about missing the story the first time around: it’s a point well taken, but I should also note that his research was published in 2007 in the Hawaii International Conference for System Sciences 44 – not a publication most journalists and bloggers read at bedtime. He also published more about this in a book on iOS forensic analysis, but that, too, isn’t something even those of us who did a bit of research on this topic yesterday could have easily spotted. The sad reality is, neither the press nor blogosphere was going to pick up on this story unless somebody made us aware of it. As far as I know, nobody did.

As to why he was ignored yesterday: Every day, press and bloggers get pitches from “experts” about various topics. The reality is, we ignore 99% of those (and no, it wasn’t me who cursed at him). There were a few problems with Levinson’s pitch that made it even easier to ignore:

a) he didn’t use bcc and cc’ed everybody on the list (a pet peeve of reporters and other cubicle dwellers alike). Given the amount of emails flowing into most bloggers’ and reporters’ inboxes, emails like that immediately go to the bottom of the pile, especially after the second comment about the missing bcc arrives. A rookie PR mistake.

b) none of the pertinent information (links to the old publication etc.) was in the email – just a link to a blog post and to a blog nobody had ever heard of. Also, statements like “You will want to read this” and “it would be in your best interest to review what I have to say” are something most of us read about 50 times a day and just ignore.

The fact that I failed to see the value in Levinson’s pitch is obviously nothing to be proud of, but I thought you deserved a bit more of an explanation for why this story went mostly unnoticed the first time around and why Levinson’s voice was not heard until the news cycle was already over. I’m glad it’s being heard loud and clear now.

8:55 am

Your iPhone Keeps a Secret Log of Your Every Move


This is going to be a major PR nightmare for Apple. Security researchers Pete Warden and Alasdair Allen today announced that they have discovered that all iPhones and 3G-enabled iPads keep a log of your every move in an unencrypted file that is hidden inside the iOS filesystem. The files are backed up and restored every time you sync your phone with a desktop computer. According to the researchers, no other phone currently does this and keeping this data on the phone has wide-reaching security and privacy implications. The researchers also believe that this is an intentional move on Apple’s behalf and not just the result of a temporary log file not being deleted properly.

If you have an iPhone and a Mac, you can download Pete Warden’s iPhoneTracker application to see what data your phone has gathered.

What’s the Problem?

There is something rather interesting about seeing this data, but it is also rather creepy at the same time. Currently, the mobile phone carriers do keep a log of your location data. This data, however, is kept (relatively) safe and it takes a court order to get it. Indeed, as the data is backed up on your computer, whoever wants to know where you’ve been since you bought your iPhone 4 or iPad 3G can easily do so with Warden’s tool.

As the data is stored outside of Apple’s sandbox for regular applications that run on your iOS device, regular apps can’t access it, unless you have jailbroken your device.

It’s worth noting that none of your data is being transmitted to other devices or Apple’s servers.

How Good is the Data?

Looking at my own data, I noticed that Apple only seems to record your location when your cell phone connection is working. It did not record any data for trips through mountain passes without cell connections, for example. Sometimes the data is also a bit off, as it seems to be geared more towards the location of cell towers than data gathered from the phone’s built-in GPS.

On the device, the data is second-by-second. The iPhoneTracker tools deliberately obscures the exact location, too, and only shows it on a grid-like view. If you access the raw files, though, you will see that exact location and time stamps. Given that the code for the iPhoneTracker tools is open source, though, it’s only a matter of time before somebody will write an application that gives you easy access to the more granular data.

In the video below, Warden and Allen discuss how they found this data:

7:45 am