Well, this has been an exciting 24 hours. I needed a break after a lack of sleep the previous night. I’m glad to see so much technical research being done now. Great work to everyone. I’ll begin linking interesting analysis through my Twitter feed as I come across it. You can follow me @alexlevinson.
Earlier today, Pete Warden and Alasdair Allan responded to me. I want to thank them for their words. I do not want to spill hate on them or their work. I wish them both the best in their ventures and would like to cross paths with them in San Francisco sometime. Fabulous work gentlemen.
What is Location Services?
I think several people have missed understanding how Location Services functions within an iOS device (and probably mobile in general) and the impact it has.The iPhone’s popularity comes from it’s human computer interaction. It’s smartphone capabilities are extended to the user in all sorts of unique and useful ways. Where am I? What’s Pizza Hut’s number? A smartphone has now replaced your fellow citizen for information. This data (or accessibility to determine) is fueling the movement in today’s digital world.One of those aspects as we know is Location Services, derived on the iPhone through this file, consolidated.db. This file acts as a hub of logging for geolocational information on the device. The various radios in the device log information to this database.When developing applications for an iOS device, you can access a series of libraries created by Apple to harness the capability of the phone. Why do you need these? Because your app runs in a “sandbox” — a jail cell for your application that prevents it from interacting with other applications or data on the device. This is a positive both for performance and security on the device. The “sandbox” design is not new to Apple. Unix and Linux systems have been jailing applications for years.
So unlike desktop computing, applications on the iPhone do not talk to one another or interact with system data. This is why third party applications do not have access to consolidated.db. They can manipulate and manage data within their own jailed directory, but nothing more.
Apple gives application developers access to programming frameworks that contain APIs to interact with data on the iPhone. This is how you can import your Facebook contacts, use Skype, or checkin on FourSquare. This allows an app to use the Core Location API to interact with location in a ways that expand the iOS user experience. CoreLocation uses consolidated.db to facilitate this transaction of data. So an app must use this API to begin interpreting location data. There is no other way. Given the static nature of these API functions, only certain data can be interpreted by apps, preventing them from simply harvesting all data within consolidated.db.
Apple previously used Skyhook Wireless for their determining the location of iPhones, but announced in 2010 they would be moving to their own location services starting in April of 2010 with iOS 3.2. This would confirm why there is data transmitted to Apple every 12 hours as reported by F-Secure yesterday. This explains my failure to see this unsolicited location data. My network traffic analysis of iOS devices has never spanned large time intervals. This still doesn’t translate into Apple tracking users behind their back.
I think overall, this location data is being used to further the iOS experience. An iPhone wouldn’t be an iPhone if you couldn’t press a button and have it tell me where the nearest Apple store or find a popular restaurant on Yelp. That doesn’t mean that this data is not sensitive though, which brings me to my next point.
The Advent of Mobile Data Security
Over the last century, we’ve seen data move from handwritten letters to typewriters and computers. Security measures have always existed to protect sensitive data. We’ve learned the painful mistakes of mismanaging digital information through the computer age and are beginning to create policy that helps ensure data “C – I – A.” – confidentiality, integrity, and availability. One of the outcomes of all this work is that there is no smoking gun to ensure privacy of data and a large responsibility lies on the person who owns the technology the data resides on.
In the last few years, mobile devices have swept the country as a new platform of computing – yes, computing. An iPhone is much more than a phone just as an iPod Touch is much more than a music player. These devices (including droids, blackberrys, etc.) are becoming a huge platform for computing on the go. Even with their boom, it’s a relatively new market and just as other technology markets, it’s still learning, especially about security.
The public perception of the mobile device as “just a phone” has led people to underestimate what these mini-computers are capable of. With this new breed of functionality, comes new blobs of data that is stored on these devices. Users should be treating their smart phones just as they do their computers – using passwords, following safety recommendations, encrypting data when possible. Your phone is now becoming your second wallet – a repository of data relating to you, the user, that could be harmful if exposed or improperly used. Although sensitive, it’s this data that drives the smart functionality of these devices.
Surely Apple has thought of this in the design of the iPhone. Through several avenues, Apple is attempting to protect your data on these devices. Following simple steps you can treat your phone like a digital fortress and protect the information thats on it. For example, there are simple and easy techniques that you can take to protect your data, including this location information.
1) Enable Backup Encryption & Use a Lock Passcode
After connecting your iPhone to your computer, you can set a “Backup Encryption Password” in iTunes. This does more than just encrypt your backups – it actually encrypts all data that could be retrieved from your phone physically. In the event you loose your phone, this can prevent someone from just downloading all the data off your device. Using a Lock Passcode can also stop anyone from simply viewing data on your phone who might grab it.
2) Use Caution Surfing the Web, E-Mailing
Just as you can get viruses through malicious websites and emails on your computer, the same is possible on your device. (That’s actually how jailbreak.me works – it’s just exploiting flaws in your web browser). These devices are mini-computers, if a hacker can exploit the software running on your device, they can do virtually anything they want – including steal your sensitive data.
3) Be Careful Modifying Your Device (jailbreak)
Some will find this controversial, but I think it’s sound advice to all but expert users. The problem I have with the jailbreak system is it allows for anything to be run on your device. You break the walled garden approach of the App Store and in turn expose yourself to a world of malware you otherwise wouldn’t. This has shown in the Android Marketplace’s recent spike in malware. Also, system privileges are now changeable by a user and the software they install. This allows access to the filesystem on the phone – including consolidated.db. So while there may be an app to sanitize consolidated.db, their also might be an app that is secretly stealing your SMS or logging your usage in the jailbreak realm.
Mobile device security is only going to become a bigger issue. It’s in the best interest of all users to make sure they’re staying on top of this stuff. Finally, I want to start the discussion on some things that have been reported on lately.
Forensic Legal Issues
It has been reported on extensively that mobile devices are under fire from law enforcement. I think this is an interesting twist in the recent headlines of mobile data. In the world of forensics, we’ve known for some time that these devices contain lots of identifiable information. It’s troubling to hear accusations of law enforcement misusing forensic technology to incriminate or investigate. As someone who develops this technology, there are rules that Law Enforcement must abide by — the fourth amendment. It’s is in our EULA for Lantern that you may only use our software legally:
10. Illegal use. You may not (and You covenant not to) use the Software for any illegal purpose; for example, you may not use the Software to access a computer or device on which you do not have authorized access.
Fortunately, through Katana Forensics interaction with law enforcement, I have not witnessed any such misuse. My interactions with law enforcement have led me to respect their efforts to make sure their efforts present legal validity – warrants, chain of custody, and what not.
It’s in the best interest of the public to make sure they understand the 4th amendment and what their rights are under it and also examine their state’s law on electronic search and seizure. Knowing the law in your current area can help you as a technology owner keep your data secure from illegal search and seizure.
—
Overall, I don’t think Apple has wronged the public. I think they’ve tried to incorporate security measures into an extremely interactive and data rich product. Using simple security techniques, users can secure their data while maintaining functionality. I’d love to hear your comments – feel free to tweet me @alexlevinson with your feedback.
Alex Levinson 