Apple Updating iOS To Address Privacy Concerns

wiredmikey writes "[Apple] said that over the next few weeks it would release a software update for iOS that would reduce the size of the crowd-sourced Wi-Fi hotspot and cell tower database cached on the iPhone, cease backing up the cache, and delete the cache entirely when Location Services is turned off. Additionally, Apple said that in the next major iOS software release the cache would be encrypted on the iPhone, though a timeline for that was not provided."

hmm..

[amalek]

It's been a long week of high-profile fuck-ups.

Re:hmm..

It's about time the US started another war to distract people.

Fail

[magamiako1]

So apple's going to encrypt the location cache on a phone that is otherwise locked, where other people generally don't have access to it other than the device itself, and lower the battery to deal with encryption routines all because people are idiots?

Sigh...

Re:Fail

[geekoid]

No, more probably.

The time stamp is a function call. Now you want to do the function call AND then strip out information. That would take more power.
Not that it would even be measurable.

*Under the hood, when you pass options to only return a subset of the time stamp, it gets it all, then truncates the information.

Moving on

[mudpup]

Sounds like Apple is taking steps to improve their system and give the paranoid users a easy opt out. Now the question is what are the other phone manufactures doing with their location systems? Especially those who log your data to the cloud?

Re:Moving on

[93+Escort+Wagon]

Sounds like Apple is taking steps to improve their system and give the paranoid users a easy opt out. Now the question is what are the other phone manufactures doing with their location systems? Especially those who log your data to the cloud?

That's a good point. Given their relatively short response and turn-around time on this, I'm wondering if Apple sees the possibility here for turning a negative situation into a positive. Don't get me wrong - I think Apple (and other vendors) should've been doing this from the get-go - but it will be interesting to see (for example) how Google responds, given that their business model is to own as much data about you as possible.

direct link

[bidule]

Why not use the direct link as nothing was added and some was cut?

Re:direct link

[Americano]

Just a wild, unscientific guess, but I'd say it's because linking to Apple's press release directly means that SecurityWeek doesn't get ad impressions from the slashdotting. The link goes to a SecurityWeek Article by Mike Lennon; TFS submitted by "wiredmikey," whose profile identifies him as "SecurityWeek Editor", and links to SecurityWeek.

Connecting the dots is left as an exercise for the reader.

Re:direct link

[Fnord666]

Connecting the dots is left as an exercise for the reader.

Because we sure in hell know the %$&*ing editors won't do it.

Re:Bug?

[mangino]

Almost all bugs would be caught by a single testcase if you thought about writing it. Most often the problem is that nobody concerned the scenario and though to write a testcase. While it could be mailicious, it could also be just an accident.

Seems like a bug

[SuperKendall]

Not erasing the old logs doesn't seem like a bug.. it would've been caught by a single test case.

You only put tests in for problems you think of. Deleting the log file altogether when you turn off location services, is a problem they simply didn't think about. If you think about it the guys writing that part of the code probably assumed that since the file was cached it would be truncated so leaving it around wouldn't matter...

The rest of the time you aren't deleting the file, instead you are periodically truncating it - something beyond a single test case, and requiring a long period of time to elapse. That part seems also like it could easily be oversight.

To my mind they probably just thought keeping a record of cell towers was not a big deal, because it was not an exact location log... although just from a performance aspect you'd think they would not want that file growing too large.

Conclusion:

[Lazareth]

A perfectly sane feature has now been curtailed effectively by public outcry against perceived violation of privacy. While I agree that it is a good thing the stuff now gets encrypted locally (yay, more encryption of sensitive information!) the grand result is nearly nothing. The way this thing worked was by having a cache of locations stored locally and for those who worry about invasion of privacy this turn of events doesn't change anything - if Big Brother wants to know where you are and where you've been, he need do nothing more than to store where you connect from on his side - something he has always been able to do.

Re:Good...?

[SvnLyrBrto]

How do you suppose the phone company knows what cell you're in, so they can route calls to your phone? How do you suppose they get their E911 data?

As long as you have the thing powered on, the phone company know where you are. And if the police want to know, they won't go to your house, hack your computer, and read the log backup. They'll just go to the phone company with a subpoena.

This whole controversy was much ado about nothing. The only thing that was different was that the user had access to the data that "the man" had all along.

Re:Including the "obsoleted" phones?

[Phleg]

Out of curiosity: why? When the next version of the iPhone comes out, you can sell your existing one on eBay and buy the new one for a net profit of $50. $150 if you unlock it first.

Re:Bug?

[SvnLyrBrto]

Not necessarily a bug... it could have been a simple oversight. Just look at everything that's in /var/log on a vanilla UNIX/Linux installation. Unless you go in to your configurations and specifically dial things down, there's quite a lot in there that some nefarious party could exploit to get a very good idea of what you're doing on that box.

Re:nice

[jessecurry]

Apple: We didn't see anything wrong with the previous implementation, but it seems that our customers do. We'll take steps to make sure that our implementation is in-line with what our customers desire.

Re:Bug?

[IAmGarethAdams]

As Phil Karlton once said

There are only two hard things in Computer Science: cache invalidation and naming things

Re:Glad this is over

Um, are you one of those people rising up against oppressive governments? How about the people bringing a class action lawsuit? How about the many blogs screaming about it? No?

Can this data be used in real-time? No. Can it locate you precisely? No. Can an oppressive government that controls the local cell company locate ANY cellphone with greater accuracy and in real time? Yes.

Hmmm... I think "alarmist" is an accurate description.

Not useful for that purpose.

[SuperKendall]

What about people who are grabbed by their government? Now there Phone can be checked for locations and those location will be at risk whether or not they aided the dissenter....Know what cell tower you connected to is one thing, know the exact block or store you where in is another.

That's the thing though, it was NOT storing accurate location data. It's cell tower and some WiFi data, generally information you cannot use to tell you were at a specific house or even possibly neighborhood... think 1/4 to 1/2 mile radius, possibly a block but not a store.

Re:Bug?

[Spykk]

Invalidating the cache is easy. Just call m_cacheThisIsTheLocationBasedCacheThatSpeedsThingsUp.MakeThisCacheSoThatItIsNotValidAnymore(); Naming things on the other hand...

Re:Good...?

[gutnor]

Yes because the only people who would be interested in this data are those that already posses a legal method of obtaining it...

If you are worried about those that do not posses legal method to access that data - you should really encrypt your data. The log can only be accessed from you home computer or you mobile phone directly (after hacking it) - if somebody you don't like has unrestricted/uncontrolled access to any of those, there is a lot more stuff you need to be worried about.

There is of course the Private Investigator case hired by your wife that could be borderline possible. In real life, that would be far easier for the PI to stick a GPS tracker under your car and that would give him more precise, more discreet data collection service.

Re:Bug?

Not if the bug is in the requirements. You can't test for something if there is no requirement for it. One of the biggest failures of how agile/XP methodologies are implemented, they skimp on the requirements documentation.

Why the iTunes sync?

[Posting=!Working]

My favorite answer:

Why is my iPhone logging my location?
The iPhone is not logging your location.

No, they're just logging the location of things you go near and the time you passed by them. This is not a location the same way that "314 Evergreen Street, Pigsknuckle, Arkansas at 2:31:14am on April 17, 2011" is not a location because it doesn't specify if you're inside or outside the house.

And then, two sentences later...

iPhone can reduce this time to just a few seconds by using Wi-Fi hotspot and cell tower data to quickly find GPS satellites, and even triangulate its location using just Wi-Fi hotspot and cell tower data when GPS is not available (such as indoors or in basements).

So they're not tracking your location, just the data needed to triangulate your location. Just like the GPS doesn't track your location, since it also only gives the data needed to triangulate your location.

The location data that researchers are seeing on the iPhone is not the past or present location of the iPhone, but rather the locations of Wi-Fi hotspots and cell towers surrounding the iPhoneâ(TM)s location

The data from the GPS is not the location of the receiver, but rather the locations of the satellites surrounding the receiver's location.

Can Apple locate me based on my geo-tagged Wi-Fi hotspot and cell tower data?
No. This data is sent to Apple in an anonymous and encrypted form. Apple cannot identify the source of this data.

Using the preceding logic, it probably only contains your iTunes logon, phone number, SSN, DOB and profile information. But since it doesn't contain your name, they can't identify the source of this data. Also, I would guess that they replace all spaces with an underline, rendering it unreadable and thus encrypted.

Re:Why the iTunes sync?

[thoromyr]

Okay, some people are slow.

"their own explanation describes that they're storing all the data needed to get your location except the final calculation"

As long as that "final calculation" includes fetching additional information. Maybe you're weak on the concept, but triangulation works like this: take three known points and for each of them measure the distance to an unknown point. That distance measurement allows a circle to be drawn around each known point. The unknown point lies at an intersection of the three circles. Due to limitations in accuracy, this intersection is going to be larger than a point -- and may in fact cover a sizeable region.

Here's the thing: the cache only included the crowd-sourced information, that is the locations for the known points. The "final calculation" involves collecting *additional* data, the distance from those three known points. So, no, the cache does *not* have all the data needed. It is missing the distance calculations. Which only makes sense because it changes constantly -- and is supported by what the third party individuals who have looked into it have found. No need to trust Apple.

"Which is exactly what the researchers did."

Really! Amazing, can you point a link to that because I've read what the researchers (original and others) have said and that is *not* what they did. The application that was written does not magically triangulate past locations (how could it, without distance data), it just displays the locations of towers and hot spots. That you may or may not have been near to at the logged time. Apple says up to 100 miles. Someone who checked his database found even larger discrepancies.

"Michigan's recent purchase of equipment to download all your cell phone's data during traffic stops"

Okay, you read the headlines and never the article. The "purchase" was not recent, the fact that they buy the forensic devices just got brought up again. It isn't a recent phenomena at all and should come as a surprise to no one. (The ACLU's interest isn't that they were purchased, but what and how they are being used for.) Further, "download all your cell phone's data during traffic stops" -- there is no reasonable belief that this is happening, but if it /is/ happening they won't get "all" of *my* cell phone's data. Okay, let's assume for a minute that it was routine to hand over my cell phone at a traffic stop and that they imaged it. All that they get for their trouble is SIM data (problematic) and an encrypted blob. Why? Because my cell phone runs iOS 4 and I have set a password. But don't take my word for it, google iphone forensics, pay attention to iOS4 and read more than the front page or a quick marketing blurb. Or, even better, learn how to image an iPhone and demonstrate to yourself the difference.

Now, I do wish all the data were encrypted, but it isn't (and isn't on any phone I know of) -- but they won't get my email, SMS messages, notes, voice recordings, etc. There is no evidence that cache data is on the unencrypted data store of an otherwise encrypted iPhone.

Lesson 1: if you wish to do *something* to protect sensitive data on an iPhone -- which for most people is much more than geolocation data, and more serious -- then get it to iOS4 and set a passcode, or even better use a password (iOS4 allows that). And set it to wipe after 10 failed attempts. Wish I could set it to 3 (or fewer, even).

Lesson 2: it helps to know what the heck it is you are talking about.

Re:Why the iTunes sync?

[rabtech]

Your characterization is way off.

So they're not tracking your location, just the data needed to triangulate your location. Just like the GPS doesn't track your location, since it also only gives the data needed to triangulate your location.

Incorrect; what they are doing is using the known location of one cell tower, WiFi hotspot, or GPS to make a wild guess as to your current location, then going to Apple's servers and downloading a chunk of data that contains all the known cell towers and WiFi points anywhere within up to 100 miles of the WiFi hotspot/cell tower the device originally saw a signal from. This info is written to the cache.

*IF* an application requests location services, it uses this database to quickly triangulate an approximate current position to help it get a GPS lock extremely quickly (Go read up on GPS - if you have a half-way decent idea of where you are, it makes acquiring a more exact fix much faster - somewhat like turning your TomTom off then back on immediately vs turning it off, flying across the country, then turning it back on... in the latter case it will take a lot longer to get a location). If there is no GPS signal, it can at least give an approximate location to the application that requested it. Location services on iOS allow the app to specify the desired level of accuracy as well as receive the instantaneous accuracy level. If the app only wants to know what zip code you are in the device might not even need to bother turning GPS on - the cache might be enough to get that information.

In any case, all the database tells you is that of the entire list of cell towers and WiFi hotspots in the database for a given time period, you were near *one* of them somewhere vaguely around that time.

No, they're just logging the location of things you go near and the time you passed by them. This is not a location the same way that "314 Evergreen Street, Pigsknuckle, Arkansas at 2:31:14am on April 17, 2011" is not a location because it doesn't specify if you're inside or outside the house.

More like that address just means you were in the city of Pugsknuckle sometime on April 17; you might have been at 314 Evergreen, maybe 325 Evergreen... maybe across town at another address entirely. Maybe you just drove through town on your way to Texas. There is literally no way to know because the chunk of cache you get back can cover a wide area and depends on what the server decides to send you. Two people at the same location at the same time might get different lists back from the server that cover a different geographical area.

Short version: This is no different then looking at a laptop's recently seen WiFi access point list and trying to claim the laptop is tracking you. All it means is that you were within some distance X (depending on conditions) of that access point sometime in the past.

Re:Bug?

[fuzzyfuzzyfungus]

From Apple's own flack piece...

"3. Why is my iPhone logging my location? The iPhone is not logging your location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers around your current location, some of which may be located more than one hundred miles away from your iPhone, to help your iPhone rapidly and accurately calculate its location when requested. Calculating a phone’s location using just GPS satellite data can take up to several minutes. iPhone can reduce this time to just a few seconds by using Wi-Fi hotspot and cell tower data to quickly find GPS satellites, and even triangulate its location using just Wi-Fi hotspot and cell tower data when GPS is not available (such as indoors or in basements). These calculations are performed live on the iPhone using a crowd-sourced database of Wi-Fi hotspot and cell tower data that is generated by tens of millions of iPhones sending the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple."

Re:Never sent to Apple though

[fuzzyfuzzyfungus]

This file... Apparently, the timestamped location log database file was a locally-generated composite of RF signals the phone received, and nearby locations that were provided from Apple's database(Requests for which, of course, would in no way inform Apple of the user's location at a given time...). That particular file doesn't seem to have been sent back, in large part because much of it would be redundant.

However, particularly in points 3(linked above) and 8(following) of their apologia, they admit to collecting location data in a previously undisclosed way.

"8. What other location data is Apple collecting from the iPhone besides crowd-sourced Wi-Fi hotspot and cell tower data? Apple is now collecting anonymous traffic data to build a crowd-sourced traffic database with the goal of providing iPhone users an improved traffic service in the next couple of years."

Re:Good...?

[Patch86]

Leave the police and the courts out of the equation for a moment (as we have to assume, these days, that the state is omnipotent in any case).

This whole controversy sprung up because some well-meaning developer released an app that could access the data. By extension, we could assume that all iOS developers- including malware developers- could work a similar trick, to less innocent ends. Malware/adware/spyware developers couldn't subpoena your details from your provider; this is the only method by which they could access this sort of data.

As such, you can look at it as a pretty big security hole that needn't exist.

Re:Bug?

The oversight wasn't that they were collecting. The oversight was that the phone didn't erase the file when the user turned off Location Services, which Apple admitted and said they intend to correct.

Re:Bug?

[mangino]

I don't know that I agree with this. I've worked building software for more than 15 years and I can tell you that the likelihood of somebody accurately capturing something like this in a requirements document is very close to zero. After all, this isn't a feature we're talking about, it's an implementation detail of a performance optimization. The requirement would likely be something like

"Must be able to detect a location within 0.2s if wifi is active or can locate at least 3 cell tower ids"

the rest is how the programmer chose to make it work. If you are creating requirements to the level of detail needed to fully specify purge behavior of a cache database, you're never going to finish your requirements document.

Reading Comprehension Check

[SuperKendall]

No one? Apple says that they do is items # 3,4,5,8. 5.

From TFA:

Can Apple locate me based on my geo-tagged Wi-Fi hotspot and cell tower data?
No. This data is sent to Apple in an anonymous and encrypted form. Apple cannot identify the source of this data.

Hi there. reality calling. If they can't tell it's from you, it's not YOUR DATA they are sending.

Bloody tinfoil-hat Apple Haters...

Re:Reading Comprehension Check

[moronoxyd]

Ah, so if I took pictures from all the houses around your house and send them somewhere without telling them that the pictures were taken from your house, that's no problem?

When I take your bank statement and remove the bits referencing your name and address, I can send that statement wherever I want because it's not your data anymore?

Good to know...

Re:Bug?

[dwandy]

I thought there were two hard things in Computer Science: cache invalidation, naming things and off by one errors.

Re:Known Issue Though

This log file has been a known issue for at least 6 months. I'll give Apple credit and say that never purging the contents of the file is a bug, but they have know about the problem and did nothing to correct it.

They probably did nothing about it because it didn't seem like a big deal to them. You want an example of a security issue which has real world impact on tens of thousands of users? Insert latest credit card database theft news here. There seems to be at least one every few months, I think the latest was Sony.

By contrast, a phone which logs the locations of cell towers that it's been near causes next to no real harm to its users. The uproar has been essentially emotional: "ZOMG I'm being TRACKED!!!!", even though the information stays on your phone (and computer, if backed up) and isn't terribly useful to anybody likely to get hold of it. Maybe law enforcement might want to use it to pinpoint where you were if they suspect you of a crime, but they're going to have problems using it due to the nature of what's stored: it merely locates cell towers you were near, not where you actually were, and as soon as you return to a location near the tower they're interested in, the information they need (the timestamp of when the phone last asked for an update about the position of that tower) is destroyed.

Also, it's hard to make a case that LEOs lucking into a way of finding some information about the whereabouts of suspects greatly harms society as a whole. Yes, there's a privacy argument to be made, but what I'm getting at is that on the whole, leaks of CC databases cause real harm to innocents, while this problem almost certainly did not.

In short, assuming Apple had a Radar bug filed, it was probably treated as a low priority since they had no idea that it would become the subject of a media feeding frenzy and inflated into an issue of vastly more importance than it really is.