April 20, 2011 -- If you've got an iPhone in your pocket, Apple could be recording where you go, a pair of security researchers revealed today.
Ahead of a presentation at the Where 2.0 Conference in Santa Clara, Calif., Alasdair Allan and Pete Warden published a description of their findings online at O'Reilly Radar, saying that the Apple iPhone and iPad 3G record the device's geographic position and corresponding time stamp in a hidden file. They said the data collection started when the company released its latest iOS4 mobile operating system.
"We're not sure why Apple is gathering this data, but it's clearly intentional, as the database is being restored across backups, and even device migrations," the researchers wrote.
Allen and Warden did not immediately respond to requests for comment. Apple also did not reply to an interview request from ABCNews.com.
Emphasizing that the recorded location data have privacy and security implications, the researchers said that files are unencrypted and unprotected and can be transferred to any machine synced with the device. Depending on when users installed the new operating system to their devices, their phones could be storing a year's worth of location history.
Web Application Plots iPhone Owners' Location History
To show users exactly what Apple's devices have recorded, Allen and Warden created a Web application that plots a user's iPhone data on a map. Once downloaded to the computer, users sync with their Apple device and the application scans through backup files to look for the hidden file with the location information. When it spots the file, the application shows the location history on a map.
"By passively logging your location without your permission, Apple have made it possible for anyone from a jealous spouse to a private investigator to get a detailed picture of your movements," the researchers said in the "frequently asked questions" section accompanying their application.
Researchers: Location Information Is 'Sitting in Plain View'
The researchers said they believe that the coordinates of the phone are determined by cell-tower triangulation. While the location data aren't always precise, they said the phones may have recorded up to tens of thousands of data points. However, there's no evidence that the data is being transferred beyond the devices or computers that sync with them, they said.
"The cell phone companies have always had this data, but it takes a court order to access it," the researchers wrote. "Now this information is sitting in plain view, unprotected from the world."
Aaron Higbee, chief technology officer and co-founder of mobile security firm Intrepidus Group, said that while this was the first he'd heard of the devices' tracking capabilities, his company can confirm that the files store historical location data.
"This is a good discovery," he said. "What's different in this location story is this one has a history, it's not just your point-in-time location."
Jealous Spouses, Hackers Could Exploit Data
While other rogue applications may be able to spot your location at a specific moment, this kind of tracking could be exploited by others for more nefarious reasons.
"There's a market out there for people worried about cheating spouses. I could see someone developing a app that could help open up this file and see where they've been," he said.
Cyber criminals also could create malware intended to grab a person's location history, he said.
"Things like this lead to other uses," he said. "Now, let's say you were speeding and you were required to hand over your phone to the officer? They could see where you were all day."
The location files may exist because Apple plans to roll out a future product using them or because they're an artifact of another feature on the phone, he said, but he agreed with the researchers that the discovery has privacy implications. While there isn't evidence that Apple is receiving location data now, he said, it's possible that a future operating system could retrieve it.
Apple Discovery Is Just Latest Example of Location Privacy Issues, Technologist Says
Digital rights advocates say that while the latest Apple discovery is worrisome, it's just one more example of the vulnerabilities related to location data.
"These location records can reveal a wealth of sensitive information about you: your attendance at a gun rally or prayer meeting, your frequent visits to a health clinic and more," said Chris Conley, a technology and civil liberties fellow at the ACLU of Northern California. "Control over this information needs to be in your hands, not Apple's."
If any good comes of this discovery, he said, it's that Apple is forced to answer some tough questions.
"I think people will be horrified to learn some of the places where their data is going," said Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation.
It's not just Apple that knows people's locations, but map providers like Google, cell phone companies and location-based services like Foursquare, he said.
"Location data is very sensitive," he said. It can reveal where you live and work, where you frequent for movies and dinner and even if you've spent the night at someone else's house.
Previously, Eckersley said, the EFF was concerned about location data stored with third-parties (like cell phone companies and location-based services), but this latest finding opens up another set of potential problems.
Once people realize how many parties can access their location data, he said, we will need to redesign our phones so that we can benefit from location-based services "without phoning home to 10 different mother ships showing where we are."
"The phone is such an intimate window into our lives," he said. "It needs to be treated with an appropriate level of caution."