Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

3 Major Issues with the Latest iPhone Tracking “Discovery”
ALex Levinson Security Blog ^ | April 21, 2011 | Alex Levinson

Posted on 04/21/2011 11:47:24 PM PDT by Swordmaker

Today, two researchers for O’Reilly media published an article claiming discovery of a hidden tracking system on the iOS 4 operating system. Using simple techniques, Alasdair Allan and Pete Warden extracted data off of an iOS version 4 device and wrote an open source software utility to effectively graph this data onto a map. As a fellow researcher, I champion their creativity and their development. As an expert in this field, I have three points of argument to raise.

1) Apple is not collecting this data.

And to suggest otherwise is completely misrepresenting Apple. I quote:

Apple is gathering this data, but it’s clearly intentional, as the database is being restored across backups, and even device migrations.

Apple is not harvesting this data from your device. This is data on the device that you as the customer purchased and unless they can show concrete evidence supporting this claim – network traffic analysis of connections to Apple servers – I rebut this claim in full. Through my research in this field and all traffic analysis I have performed, not once have I seen this data traverse a network. As rich of data as this might be, it’s actually illegal under California state law:

(a) No person or entity in this state shall use an electronic tracking device to determine the location or movement of a person.

I don’t think that’s a legal battle Apple wants to face considering the sale of over 100 million iDevices worldwide. That raises the question – how is this data used? It’s used all the time by software running on the phone. Built-In applications such as Maps and Camera use this geolocational data to operate. Apple provides an API for access to location awareness called Core Location. Here is Apple’s description of this softare library:

The Core Location framework lets you determine the current location or heading associated with a device. The framework uses the available hardware to determine the user’s position and heading. You use the classes and protocols in this framework to configure and schedule the delivery of location and heading events. You can also use it to define geographic regions and monitor when the user crosses the boundaries of those regions.

Seems pretty clear. So now the question becomes why did this “hidden” file secretly appear in iOS 4?

2) This hidden file is neither new nor secret.

It’s just moved. Location services have been available to the Apple device for some time. Understand what this file is – a log generated by the various radios and sensors located within the device. This file is utilized by several operations on the device that actually is what makes this device pretty “smart”. This file existed in a different form prior to iOS 4, but not in form it is today.

Currently, consolidated.db lies within the “User Data Partition” on the device. This is a logical filesystem that maintains non-system level privileges and where most of the data is stored. When you perform an iOS Backup through iTunes, it is backing up this partition. Prior to iOS 4, a file called h-cells.plist actually existed in the /root/Library/caches/locationd folder, but with hidden access from other software and applications. h-cells.plist contained much of the same information regarding baseband radio locations as consolidated.db does now, but in Apple Property List format rather than sqlite3. Through my work with various law enforcement agencies, we’ve used h-cells.plist on devices older than iOS 4 to harvest geolocational evidence from iOS devices.

So lets recap.

h-cells.plist = Pre iOS 4 / Radio Logs including Geolocational Data / Hidden from Forensic Extraction (usually)

consolidated.db = iOS 4+ / Radio logs including geolocational Data / Easily acquired through simple forensic techniques

The change comes with a feature introduced in iOS 4 – Mutlitasking and Background Location Services. Apps now have to use Apple’s API to operate in the background – remember, this is not pure unix we’re dealing with – it is only a logical multitasking through Apple’s API. Because of these new APIs and the sandbox design of 3rd party applications, Apple had to move access to this data. Either way, it is not secret, malicious, or hidden. Users still have to approve location access to any application and have the ability to instantly turn off location services to applications inside the Settings menu on their device. That does not stop the generation of these logs, however, it simply prevents applications from utilizing the APIs to access the data.

3) This “discovery” was published months ago.

I understand that Mr. Allan and Mr. Warden are valued researchers for O’Reilly, but they have completely missed the boat on this one. In the spirit of academia, due diligence is a must to determine who else has done such research. Mr. Allan, Mr. Warden, and O’Reilly have overlooked and failed to cite an entire area of research that has already been done on this subject and claimed full authorship of it. Let’s break down my history:

Back in 2010 when the iPad first came out, I did a research project at the Rochester Institute of Technology on Apple forensics. Professor Bill Stackpole of the Networking, Security, & Systems Administration Department was teaching a computer forensics course and pitched the idea of doing forensic analysis on my recently acquired iPad. We purchased a few utilities and began studying the various components of apple mobile devices. We discovered three things:

After presenting that project to Professor Stackpole’s forensic class, I began work last summer with Sean Morrissey, managing director of Katana Forensics on it’s iOS Forensic Software utility, Lantern. While developing with Sean, I continued to work with Professor Stackpole an academic paper outlining our findings in the Apple Forensic field. This paper was accepted for publication into the Hawaii International Conference for System Sciences 44 and is now an IEEE Publication. I presented on it in January in Hawaii and during my presentation discussed consolidated.db and it’s contents with my audience – my paper was written prior to iOS 4 coming out, but my presentation was updated to include iOS 4 artifacts.

Throughout the summer, I worked extensively with Sean on both developing Lantern and writing custom software to interpret forensic data for customers of ours who needed better ways of searching for and interpreting data.

When the iPhone 4 came out, I was one of the first people in San Francisco to grab one (yes I waited to be in the front of that awful line).

Me in Line for the iPhone 4 in San Francisco

( Look for the RIT shirt )

Within 24 hours of the iPhone 4′s release, we had updated Lantern to support forensic analysis of iOS 4.0 devices. Within 36 hours, we had began writing code to investigate consolidated.db. Once a jailbreak came out for iOS 4, I wrote a small proof of concept application to harvest the contents of consolidated.db and feed it to a server for remote location tracking.

Ever since then, location artifacts have been a main area of interest for me. I’m now the Lead Engineer for Katana Forensics leading all technical research and development of both Lantern and private utilities. I travelled to Salt Lake City, UT in November for the Paraben Forensics Innovation Conference (PFIC) and presented with Sean on iOS Forensics including the content of consolidated.db. At that same conference, Sean and I announced the development of Lantern 2.0 which would fully support the interrogation of consolidated.db and other geolocational artifacts scattered throughout the device.

Sean and I even wrote a book detailing iOS forensics involving iOS 4 devices that came out on December 5th, 2010.

Sean Morrissey, Primary Author, Alex Levinson, Contributor

In the course of writing Chapter 10 – Network Forensics – I fully explain and detail the examination of consolidated.db and other network artifacts within the device!

Page 335 - Continued on page 336.

In February of 2011, Sean and I previewed Lantern 2.0 at the DoD Cyber Crimes Conference in Washington, DC including our geolocational features. Lantern 2.0 has been on the market for months now and performs the same functionality Mr. Warden’s utility does and much more. We correlate geolocational data embedded in images and third party application. We give you a geolocational timeline of events in list view showing much more than baseband logs within consolidated.db.

While forensics isn’t in the forefront of technology headlines these days, that doesn’t mean critical research isn’t being done surrounding areas such as mobile devices. I have no problem with what Mr. Warden and Mr. Allan have created or presented on, but I do take issue with them making erroneous claims and not citing previously published work. I’m all for creative development and research, as long as it’s honest.



TOPICS: Business/Economy; Computers/Internet
KEYWORDS: apple; franken; iphone; markey; tracking
Navigation: use the links below to view more comments.
first previous 1-2021-4041-47 last
To: for-q-clinton
Two why does Apple need to keep a history of it forever and then transfer it from device to device?

What part of it doesn't keep the history forever do you fail to understand?... it replace each tower data every time it's encountered so that the data for that tower is only the most recent... There is a map of where you have been... but not every time. Transferring from device to device makes the device smart... it doesn't have to REBUILD your database for each new device. Understand now?

41 posted on 04/23/2011 11:32:09 AM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone.)
[ Post Reply | Private Reply | To 39 | View Replies]

To: Swordmaker

Actually that’s the biggest damage control spin I think I’ve ever seen. Plus it doesn’t jive with what the reports are saying about it. So you can damage control all day long but no one is buying it.


42 posted on 04/23/2011 5:02:00 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 41 | View Replies]

To: Swordmaker

Plus according to the Wall Street Journal:

Apple Inc.’s iPhones and Google Inc.’s Android smartphones regularly transmit their locations back to Apple and Google, respectively, according to data and documents analyzed by The Wall Street Journal—intensifying concerns over privacy and the widening trade in personal data.

Read more: http://online.wsj.com/article/SB10001424052748703983704576277101723453610.html#ixzz1KOTCjKJ9

Looks like they are transmitting data back to Apple. But I thought you said they weren’t. Who do I believe? A well respected new sources or a spin doctor for Apple? Tough call, but I’m going with the WSJ on this one.


43 posted on 04/23/2011 5:05:29 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 41 | View Replies]

To: for-q-clinton
Looks like they are transmitting data back to Apple. But I thought you said they weren’t. Who do I believe? A well respected new sources or a spin doctor for Apple? Tough call, but I’m going with the WSJ on this one.

I said Apple was not sending this DB data to itself, it isn't. The author of this article, an EXPERT on forensic data extraction, analyzing the data coming from the iPhone did not find the data being sent. Apple says it isn't. Ergo, this data isn't. I stand on that evidence.

What is being sent?

Here's what the WSJ actually said about what Apple actually said they do with the data:

Apple, meanwhile, says it "intermittently" collects location data, including GPS coordinates, of many iPhone users and nearby Wi-Fi networks and transmits that data to itself every 12 hours, according to a letter the company sent to U.S. Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas) last year. Apple didn't respond to requests for comment. . .

. . . In its letter to Congress last year, Apple said that it only collects location data from people who use apps that require location. It doesn't specify how often a person must use the app for intermittent collection to occur.

Apple also said in the letter that it collects Wi-Fi and GPS information when the phone is searching for a cellular connection. Apple said the data it transmits about location aren't associated with a unique device identifier, except for data related to its mobile advertising network. (emphasis mine, Swordmaker)

Apple gathers the data to help build a "database with known location information," the letter says. "This information is batched and then encrypted and transmitted to Apple over a Wi-Fi Internet connection every twelve hours (or later if the device does not have Wi-Fi Internet access at that time)," the company wrote in the July letter to Congress.

The letter, which is available on Rep. Markey's website, became newsworthy this week in light of findings from two researchers who uncovered a file on iPhones that keeps a record of where the phone has been and when it was there. The file is unencrypted and stored by default. .

In other words, the ONLY time Apple gets data associated with location that has a phone Identifier connected with it is when the user clicks on an ad requesting information about the item or service being advertised—so that a proper response may be sent to the user. That's part of what Apple has stated Core Location services does... Nothing hidden or sinister. All other times the data is purely raw data sent anonymously and associated with the search for cellular connections.

So, yes, why NOT go with your own article from the Wall Street Journal and their primary source on this claim. . . The letter sent to Congressman Markey last year explaining then, up front and plainly Apple's policy.

44 posted on 04/23/2011 11:27:06 PM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone.)
[ Post Reply | Private Reply | To 43 | View Replies]

To: Swordmaker

More damage control I see. But at least you do acknowledge it’s wrong for Google to do this, but for Apple it’s ok.


45 posted on 04/24/2011 8:13:02 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 44 | View Replies]

To: for-q-clinton
More damage control I see. But at least you do acknowledge it’s wrong for Google to do this, but for Apple it’s ok.

You want to believe everything is evil, especially about Apple.

No, not damage control, I'm cutting through the FUD and hyperbole with truth. I've told you it isnt what it seems and is claimed to be by the FUD spreaders like a certain Senator. And it isn't! Check out the facts of what is REALLY GOING ON.

46 posted on 04/25/2011 12:40:17 AM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone.)
[ Post Reply | Private Reply | To 45 | View Replies]

To: Erik Latranyi

This is just an instance in Apple’s case where the goose is not good for the gander.


47 posted on 04/27/2011 11:46:34 AM PDT by Blue Highway
[ Post Reply | Private Reply | To 22 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-47 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson