The file appears to be a cache of the GPS coordinates of cell towers that the iPhone (or iPad) hears. When a cell tower comes into range, the cache is checked to see if its location is known. If not, an online data base is queried, and the coordinates are added to the file.
The cache is used to perform "assisted GPS," in which the cache speeds up knowing approximately where you are, and 'real' GPS is used only to fine tune the data.
This makes location-dependent apps work a lot faster than they otherwise would.
Two O’Reilly media researchers, Alasdair Allan and Pete Warden, caused quite a stir yesterday when they published an article about a hidden file in iOS 4 that regularly records the position of your device. All iPhones running iOS 4.0 or later log your location to a file called “consolidated.db” (a plain SQL file) which contains latitude-longitude coordinates and a timestamp.
This information was published in December 2010 and had been known even earlier – but it largely flew under the radar.
In February 2011 Sean Morrissey and Alex Levinson previewed Lantern 2.0, which harvested data from consolidated.db, at the DoD Cyber Crimes Conference in Washington, DC:
Lantern 2.0 has been on the market for months now and performs the same functionality Mr. Warden’s utility does and much more. We correlate geolocational data embedded in images and third party application. We give you a geolocational timeline of events in list view showing much more than baseband logs within consolidated.db.
The problem is that Lantern is a commercial forensics application that sells for $600-$700 so it’s out of reach of the average user. If you’d like to see the effects of consolidated.db in action, simply download Warden’s open source, proof-of-concept OS X application iPhone Tracker and run it.
All iPhones appear to log your location to a file called “consolidated.db.” This contains latitude-longitude coordinates along with a timestamp. The coordinates aren’t always exact, but they are pretty detailed. There can be tens of thousands of data points in this file, and it appears the collection started with iOS 4, so there’s typically around a year’s worth of information at this point.
iPhone Tracker automatically finds the file in your last iPhone backup, and plots your location over time on a map. You can zoom in on specific areas on the map and even watch a time lapse animation of your phone’s location on a “heat map.” It even includes a dragable slider bar that lets you look at a specific moment in time. (Hint: you need to drag the little bar on the zoom meter, clicking + and - doesn’t work)
A screenshot of my iPhone Tracker heat map is posted at the top of the story. Here’s one of the duo’s demo videos:
Washington DC to New York from Alasdair Allan on Vimeo.
It’s amazing that this file is just sitting, unencrypted on your hard drive and available to anyone with access to your Mac (or its backups). What makes it even more nefarious is that this file stores almost a year’s worth of data dating back to whenever you installed iOS 4, which was released on June 21, 2010. And the data file is almost impossible to delete and it persist across device upgrades and backups and restores.
So what to do?
A. Don’t Panic.
there’s no immediate harm that would seem to come from the availability of this data. Nor is there evidence to suggest this data is leaving your custody. But why this data is stored and how Apple intends to use it — or not — are important questions that need to be explored.
B. Protect yourself by encrypting your backups through iTunes (click on your device within iTunes and then check “Encrypt iPhone Backup” under the “Options” area).
Apple needs to respond to the concerns brought up by researchers about consolidated.db immediately. It should start by pushing out a maintenance release that, at minimum, encrypts and hides the file.
More on the topic:
-
Your iPhone, iPad recording your every move? - Larry Dignan
Update: Andy Ihnatko reinforces my Don’t Panic advice:
- This database isn’t storing GPS data. It’s just making a rough location fix based on nearby cell towers. The database can’t reveal where you were…only that you were in a certain vicinity. Sometimes it’s miles and miles off. This implies that the logfile’s purpose is to track the performance of the phone and the network, and not the movements of the user.
- A third party couldn’t get access to this file without physical access to your computer or your iPhone. Not unless you’ve jailbroken your iPhone and didn’t bother resetting its remote-access password…or there’s an unpatched exploit that would give Random Person On The Internet root access to your phone.
- It’s pretty much a non-issue if you’ve clicked the “Encrypt iPhone Backup” option in iTunes. Even with physical access to your desktop, a no-goodnik wouldn’t be able to access the logfile.
Update 2: The forensic community has known about the consolidated.db file for a while now and has been using it. Alex Levinson notes that he’s provided data from pre-iOS 4 iPhones to law-enforcement:
Through my work with various law enforcement agencies, we’ve used h-cells.plist on devices older than iOS 4 to harvest geolocational evidence from iOS devices.
