iPhone, iPad and Android Tracking Space Heating Up

Posted on 26 April 2011 by


iPhone Tracker Map of iPhone Locations

There’s been quite a bit of activity in the mobile forensics arena in the past week, with announcements of some new open source forensics software for iPhone and Android phones, the revelation that these devices are storing far more information than was generally understood and the fact that the Michigan State Police are snarfing mobile data. And vendor FUD and boasting. And, you know, just FUD.

So it turns out that Apple is storing information about where your iPhone or iPad device has been (by storing the geolocation of the cell towers to which it has connected) in a SQLite database file on the device itself. This was revealed in an article published on O’Reilly Radar on 20 April by computer researchers Alasdair Allan and Pete Warden, in which they said that the database,

…contains latitude-longitude coordinates along with a timestamp. The coordinates aren’t always exact, but they are pretty detailed. There can be tens of thousands of data points in this file, and it appears the collection started with iOS 4, so there’s typically around a year’s worth of information at this point. Our best guess is that the location is determined by cell-tower triangulation, and the timing of the recording is erratic, with a widely varying frequency of updates that may be triggered by traveling between cells or activity on the phone itself.

The database file is stored on your iPhone, and in all the automatic backups made when you sync the device using iTunes – so the locations file can be read not just from the device itself, but also on any machine used to sync it.

Pandemonium ensued, but things like this are nothing new – some people are still surprised to learn, for example, that Windows machines keep lists of every WiFi hotspot to which you’ve ever connected as well. A well-written article in The Atlantic, What Does Your Phone Know About You? More Than You Think by Alexis Madrigal tells the tale of a reporter whose phone, when accessed by a mobile forensics product, revealed

“[about] 14,000 text messages, 1,350 words in my personal dictionary, 1,450 Facebook contacts, tens of thousands of locations pings, every website I’ve ever visited, what locations I’ve mapped, my emails going back a month, my photos with geolocation data attached and how many times I checked my email on March 24 or any day for that matter…”

The brouhaha over the fact that these data are recorded is, in our opinion, a little overblown. One security firm recently wrote a spoof warning that word processing programs record every character you type – a similarly (if spoofily) ho-hum revelation.

Yet taken in the context of the recent California Supreme Court ruling that police may search arestees’ cell phones for data without a warrant, civil libertarians smell blood in the water. At the least, it is the responsibility of police agencies to make a policy about this kind of data extraction, which would require understanding the issues and the technologies involved.

First, check out Warden’s open source and free iPhoneTracker, which can extract and create a map showing hotspots of every place your iPhone has been (and a few that it hasn’t – read the FAQ list and documentation). This is a pretty handy forensics device and a good way to show, say, that someone was somewhere at some given time. You know, if they say they weren’t.

Not to be outdone, Researchers quickly got to work on the Android version of this, and the next day Magnus Eriksson, Mike Castleman and Sean Schulte released android-locdump, software which does pretty much the same thing on Android phones.

In an article on CNet, Declan McCullagh stated that law enforcement agencies have known for at least a year about this “feature” of iPhones and iPads, and that some have used that geolocation data to aid criminal investigations. Not that that’s much of a secret: a forensics software firm, ViaForensics, published a case study of how they’d used these techniques to pop open Android phones for a federal law enforcement agency. In it, it claims that using its techniques, the firm was able to circumvent the device passcode and acquire a full physical forensic image of the device, including full memory dump, deleted information, logical directory structure, and SQLite databases containing text messages, contacts and emails.

UPDATE: Have a look at this here video for a sample of how this works.

As our friend Howard Dean would say, Bweeyawwwww!

Then a privacy journalist writing in Network World announced that, using the Cellbrite products mentioned above, the Michigan State Police can suck data out of cell phones in under two minutes. It describes an ACLU effort to gain access to information about the MSP’s program, which it dates to 2008.

One other related note: while the brouhaha about Google StreetView cameras recording information about open WiFi hotspots was alll the rage last year (you can read my take on that, Google, Wifi Hotspots and Privacy: It’s Hard To Get All Worked Up), it turns out that The Google was not quite done. According to a piece in The Register by Dan Goodin, Google location tracking can invade privacy, hackers say, controversial hacker/security researcher Samy Kamkar discovered that Google was tracking the MAC addresses of WiFi routers through which Android phones connect to the Internet.

“Android phones are wardriving,” Kamkar told The Register. “They’re sending all your GPS coordinates. They know how fast you’re traveling. There’s a unique identifier that’s always sent.” By combining the location and the unique identifier several times a day every single day, Kamkar said, it wouldn’t be hard for Google to figure out where you live and work. And since Android phones track the signal strength of each Wi-Fi network they see, there’s a good chance Google could also figure out the MAC address of your home and business routers.

Stay tuned.

UPDATE: On 27 April, Dan Goodin over at The Register published a piece stating that Microsoft’s mobile devices do the same thing.