14 DAY TRIAL // Researchers have different opinions regarding the purpose of an iPhone file storing location data, but F-Secure experts point out that such information gets sent to Apple twice a day.
A few days ago, researchers Pete Warden and Alasdair Allan held a presentation at the Where 2.0 Conference where they revealed that iOS 4 stores detailed location data, including information about cell towers and Wi-Fi access points, in an SQL file called consolidated.db.
This file persists over hardware upgrades, because it's saved during iTunes backup procedures, and as far as Wi-Fi information in concerned, it contains connection time stamps, access point MAC addresses and their corresponding geographical coordinates.
Following this disclosure, security researcher Alex Levinson wrote on his blog that the collection of this information by Apple is not new and that on pre-iOS 4 devices the file is called h-cells.plist.
However, "Apple is not harvesting this data from your device," the researcher stressed. "Through my research in this field and all traffic analysis I have performed, not once have I seen this data traverse a network. As rich of data as this might be, it’s actually illegal under California state law," he explains.
But security experts from Finnish antivirus vendor F-Secure disagree and point out that it's Apple's default policy to collect this location data twice a day.
"For GPS-enabled devices with location-based service capabilities toggled to 'On,' Apple automatically collects Wi-Fi Access Point Information and GPS coordinates when a device is searching for a cellular network," an Apple official document reads.
F-Secure's Chief Research Officer, Mikko Hypponen, believes this data is used to build Apple's global location database in a similar way Google used StreetView cars to build theirs.
In fact, at one point, Apple used the car-based approach too by working with a company called Skyhook. The partnership ended in April 2010, with the release of iOS 3.2, probably because it was too costly.
Apple actually asks users for permission to collect this data, albeit via a rather misleading dialog during the installation of iTunes which reads: "You can help Apple improve its products by sending us anonymous diagnostic and usage information about your iPhone."
The phrasing seems purposely vague, but the company's privacy policy is clearer. "To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device," it reads.
"We believe the new secret location database found on the devices is connected to this functionality," Mr. Hypponen concludes.