Tracking down the iPhone Tracking Fracas

10 Aug 2011 . category: . Comments

News regarding Apple’s iPhone tends to make like a flare. Lots of noise, a few dramatic explosions, but no lasting impact. Read: “antenna-gate” (see here). A few months ago, a pair of researchers working for O'Reilly found a database that contained detailed location data stretching over the past 10 months. 

This story is interesting, though, and it’s not because it involves my favorite fruit. This story started long before this week, and it foreshadows discussions about mobile technology and privacy concerns that will only grow deeper as time goes on.

Last July, Congressmen Ed Markey (D-MA) and Joe Barton (R-TX) sent a letter to Apple regarding clauses in their Terms of Service involving user’s location data. They were concerned with how and why Apple was collecting data on its users, and requested a response from Apple. Apple consequently filed a response, and the whole issue unsurprisingly fell off the back edge of the tech news cycle.

Then the O'Reilly researchers found an unsecured file on the iPhone 4 that seemed to answer a lot of the congressional questions. They found an unencrypted file on the device’s local storage that had a boatload of location data on it. Wired magazine’s Gadget Lab has an excellent article explaining why, from Apple’s point of view, it needs to collect this sort of data.

“Apple must be able to determine quickly and precisely where a device is located,” Apple said in its letter. “To do this, Apple maintains a secure database containing information regarding known locations of cell towers and Wi-Fi access points.”

[…]

“These databases must be updated continuously to account for, among other things, the ever-changing physical landscape, more innovative uses of mobile technology, and the increasing number of Apple’s users,” Apple said in its letter.

The Gadget Lab article doesn’t dispute the validity of this point, but it raises misgivings with Apple keeping the database on the phone. Once the phone sends Apple the location data, there’s really no need for that data on the device–unencrypted, unprotected data on a device is just asking for trouble. Skype recently had an issue involving an unprotected data file on Android phones, which left Skype users’ contacts data vulnerable to rogue applications.

With the bug patched and the world shifting its focus to Apple’s next phone, the story has once again faded into the murky memory of tech enthusiasts, and has likely been forgotten completely by the mainstream audience.

That worries me.

Looking back to the history of personal computers, most people didn’t take computer security seriously until the outbreak of ILOVEYOU, a particularly nasty worm. At its core, ILOVEYOU was nothing more that a Visual Basic script taking advantage of a pretty serious flaw in Microsoft’s operating systems. What makes it memorable, though, was the way it caught users, sysadmins, and even the software giants off-guard. Nobody was paying attention to computer security the way they are now.

While the iPhone scandal made a lot of news, it didn’t have much staying power. Mobile security is still a topic largely unaddressed, and it’s for a simple reason: most exploits still can’t hurt anyone yet. While I, and plenty of security companies (read here, here, here, and here), can see a need for products in this space, I don’t feel like the same attention is paid to mobile security as it is its bigger brother, the desktop PC.

The potential for ID theft is huge with cell-phones, and as phones get more and more advanced, they will spend more and more time in contact with our daily lives. The phone is becoming our most personal and private collection of data, but it lacks the same guarantees of security that other systems provided. The truth of the matter is, we trust our phones because there’s never been any harm in doing so.

What sort of security breach will it take for the general public to take security of their smartphones seriously? How much damage would have to be caused?

---