How to Secure and Remove Your iOS 4 Tracking Data

Mac|Life
by J.R. Bookwalter

iOS Use Your Current Location prompt

Our privacy is increasingly at risk on the internet, but this week it turns out we may have yet another location to worry about: Our very pockets. As it turns out, 3G-equipped iPhones and iPads have been tracking our movements for almost a year — but here’s how you can make the best of the situation.

You may have heard that two data scientists, Pete Warden and Alasdair Allan, uncovered an unencrypted file with the seemingly harmless name “consolidated.db” lurking on all 3G-equipped iPhones and iPads running iOS 4 or later. It turns out that the file has been not only tracking your location for the last 10 months, but also recording that data and making a backup of it via iTunes.

Thanks to a little open-source application from the aforementioned data scientists, this database of information can be accessed by end users, simply by accessing files buried deep inside an iTunes backup of your iPhone or iPad. The scary part for many users is that a lost device that’s not wiped remotely via Find My iPhone could also get potentially accessed by a wrongdoer — or worse yet, most anyone with a bit of knowledge can jump on your computer, fire up iPhone Tracker and see where you’ve been for the last 10 months.

Whether this privacy issues scares you or not, there’s always a way to take lemons and make lemonade — and here are some ways to turn that frown upside down before Apple gets around to fixing the issue in a future iOS update.

iPhone Tracker map

View the Data in Question — Before Anyone Else Can

Before you storm the Apple campus with torches and pitchforks, head over to the website hosting the iPhone Tracker application. Download and launch the open-source Mac OS X app (it’s free) and in a moment, you can sit back and marvel at the data in question. iPhone Tracker displays a map view of where you’ve been for the last 10 months or so, which you can zoom in and out of and even play back in a cool time lapse mode.

Those of you who don’t get around much outside of your home turf will have a less interesting time with this data, but for jet setters, you’ll have a fun time zooming in and out and reliving the last year of your life. Our iPhone 4 accurately tracked our movements around town, as well as a family vacation several states away and even our San Francisco trip in late January for Macworld. Nothing to see here, folks!

iPhone Tracker website

How iPhone Tracker Works

Every time you plug in your iOS device and sync with iTunes, a backup of your device is created (or updated), buried deep inside your user Library folder. Fortunately, most of this data appears as gibberish to the average user, but the two scientists in question were able to make sense of the data with a Python script, Terminal and a Firefox plugin that allowed them to view an SQLite file containing the latitude and longitude of your location, as well as a timestamp of when it was taken.

Remember, a 3G data chip is required for this data to be collected — meaning Wi-Fi only iPads and iPod touches are totally immune to the problem, with one caveat.

iTunes Restore button

Don’t Forget Your Restore

Since the database in question is backed up with all of your other device data every time you plug in and sync with iTunes, that means it will also get passed on to other devices that you restore to. For instance, we upgraded from a 3G-enabled iPad to a Wi-Fi only model of the new iPad 2, and the data from the first-generation unit came along for the ride. However, no further information has been recorded in this database, since the Wi-Fi only model lacks the 3G radio necessary to record the data in the first place.

iTunes Device backups

Wipe Out Backup Data

It seems likely that the increasing public outcry over the issue will lead to a software fix from Apple sooner rather than later, but in the meantime you can at least eliminate the data from your computer to prevent others from accessing it via iPhone Tracker.

From your user home folder, drill down to /Library/Application Support/MobileSync/Backups/ and eliminate the folders and files found there. You can also accomplish the same task from iTunes by going to Preferences, clicking the Devices tab, selecting a backup of your 3G-enabled device and selecting “Delete Backup.”

Unfortunately, this is hardly a foolproof plan — each time you sync with iTunes, the backup will be recreated, map data and all. Worse yet, if your device dies without a backup, you won’t be able to restore the rest of your precious data to its replacement.

Untrackered jailbreak app

Jailbreaking to the Rescue

For now, there is one sure way to eliminate the offending database from the device itself, but it requires a jailbreak — the same method used by friendly hackers to add new capabilities to iOS that Apple frowns upon, as well as unlocking an iPhone to free it from carriers. The free app, called untrackerd, can be found in the jailbreak-only Cydia store — it runs in the background and clears out the saved location data as it’s recorded, which sounds like a battery drain to us.

iTunes device Encrypt Backup

Feel Safer with Encryption

Since deleting each backup that iTunes creates isn’t a practical solution for most users and not everyone has chosen to join the jailbreaking adventure train, there is another way to at least feel better about having the data on your computer.

With your iPhone or iPad plugged into iTunes and selected in the sidebar under Devices, scroll down to the Options at the bottom of the window and turn on “Encrypt iPhone (or iPad) Backup.” Enter and verify a password, click Set Password and you’re good to go. iTunes will get to work creating a new, encrypted backup, which may take take a bit of time if you store a lot of data on your device. When it’s finished, you can sleep easier knowing that anyone wanting to restore their device from your backup will at least need a password to do so in the future.

CNN report tracking map

Should We Be Afraid?

The researchers who stumbled across this data are quick to note “there’s no immediate harm that would seem to come from the availability of this data” — even if someone managed to get direct access to your device or computer. There’s also no indication that your device is “phoning home” to Apple to share the data with Cupertino, perhaps in some secret underground lair created by Big Brother to track our every move.

While hardly a security expert, Apple guru John Gruber has posed the “somewhat informed theory” that the consolidated.db data in question is intended to be a harmless cache of iOS location data. Gruber claims that the cache should be getting purged over time — much in the way Android devices appear to be doing it — but for whatever reason, that isn’t happening. The Daring Fireball scribe proposes that the cache is simply a bug that Apple will be fixing in the next iOS update, which makes sense to us.

It’s important to note that the data being stored on your device and computer is actually far less than the cell phone companies already have on you — since the data is based on a location fix of nearby cell phone towers rather than more accurate GPS data, it’s only a rough sketch of where you’ve been.

Finally, in an ironic twist, it appears that the geodata in question actually isn’t a secret in the first place — Wired reports that Apple sent a 13-page letter (PDF link) to Congressmen Joe Barton and Edward Markey back in July of last year, explaining how the company collects and uses such location data. While that doesn’t answer the question of why it’s still being collected almost a year later, the bottom line is that we agree to let these devices collect such data just by using them

__________________

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s