It’s no secret I’ve never been a big Apple fan, although not for the reasons you may think.
It’s not because of their draconian and closed environment. Neither is it because their products have little technical merit above other products yet seem to garner an almost fanatical following. Primarily it’s because of Apple’s poor security, something that is seldom brought up in polite conversation.
Yes, it may be a surprise to many, but Apple is near the bottom of the pile when it comes to fixing security holes in their products. Even Microsoft, that doyen of the bug world, has a better track record. And it’s possibly only their lack of user base ( ie. MacOSX ) that has seen little attention in terms of malicious attacks, but that has been changing in recent times, especially with the iPhone’s commercial success. Remember the iPhone 3G data breach from June last year where over 100k users had their details harvested? Or Safari’s continued woes at the hands of the Pwn2Own contests? And many more where that came from.
So to the latest revelation that i* devices constantly track users’ physical location and store the data in unencrypted files that can be read by anyone with physical access to the device. Regardless of whether your GPS is activated or not! The 2 researchers that found the issue have created an app called Phone Tracker that will read the data from your i* device or computer.
From the end-user point of view, Apple only does one kind of location tracking, and it happens via GPS. The company makes sure to notify you on your iPhone or iPad every time you use an app that will grab your GPS location so that you’re always informed of when you’re being tracked. However, that’s not all that’s going on behind the scenes. Apple also triangulates your location from cell phone towers and logs that information in order to help get a faster GPS lock (or to find your location without GPS if you’re getting bad GPS signal). Users don’t get to decide whether their locations are tracked via cell towers or not—unlike GPS, there is no setting that lets users turn it off, there’s no explicit consent every time it happens, and there’s no way to block the logging. You can encrypt backups when backing up to your computer, however the data file is still unencrypted in your iPhone/iPad.
A number of jail-breaking and 0-day exploits can be used to gain access to the root-only location on the iPhone where the unencrypted files are stored. So the security implications are huge, especially in the corporate world where smart phones are increasingly used for data storage and communications. Imagine someone tracking your location while on business in a foreign land.
It’s one thing for Apple to control your every move when using their products but it’s another thing completely to gather data without your consent. I’ve never liked the control that Apple exerts in terms of their products and this latest event leaves me even less impressed.
So it’s just as well I’ve gone a different route …