iPhones and iPads store users’ location data in clear text unencrypted

iPhones and iPads track users locations and store these details in an unencrypted file on the devices as well on the users’ PCs, according to a finding by researchers. Collection of such data started with Apple iOS4. It is stored as a SQLite file on iPhones and iPads with 3G feature, says Pete Warden, the founder of Data Science Toolkit and a former Apple employee, and Alasdair Allan, a senior research fellow at the University of Exeter.

Called consolidated.db the fie is stored in the iOS backups made by iTunes on the Mac or Windows PC used to synchronize the iPhone or iPad. The file is stored in clear text and includes locations' longitude and latitude, a timestamp and other information, including Wi-Fi networks in range of the device.

About 100 data points per day are logged to the file, said Warden and Allan in a video posted on the O'Reilly Radar blog.

"There can be tens of thousands of data points in this file," said the pair in the blog post.

Charlie Miller, a noted Mac and iPhone vulnerability researcher, and a four-time winner at the Pwn2Own hacking contest, says that while the data may be hard to extract remotely from an iPhone or iPad, but not impossible.

Miller added that if a hacker wants to view the location file on an iPhone remotely he would need to exploit a pair of vulnerabilities, one to hack Safari -- likely by duping the user into visiting a malicious site -- then another to gain access to the root directory.

Instead, he said the biggest threat was if a person lost his or her iPhone, or it was seized by authorities. "If you lose it, or it's taken when you're crossing a border, say, then the data is accessible," said Miller.