[liberationtech] iPhones/iPads secretly track 'scary amount' of your movements
Moxie Marlinspike
moxie at thoughtcrime.org
Thu Apr 21 13:26:53 PDT 2011
On 04/21/2011 03:31 PM, Nathan Freitas wrote:
> I believe the location data on iOS was stored in user data space
> readable by any app without special permissions. That was a chief
> concern of the O'Reilly post, not just that the data existed. This means
> a malicious app without root permission on Android could not access this
> location cache, though a law enforcement professional with the right
> hardware would most likely be able to.
I don't have an iOS device to test myself, but Charlie Miller's analysis
was that the iOS location data isn't accessible from installed
applications, and he's the domain expert I'd look to here.
If we're making comparisons, this means that a webkit exploit alone
would yield no location information to an attacker on iOS, but the same
exploit would yield location data to an attacker on Android.
If we're worried about law enforcement, well, they can just use Sprint's
(and presumably others) automated location interface, right? [1]
I'm not sure that it's possible to make any clear distinctions between
the Android vs iOS privacy experience right now, but iOS is definitely
providing a more secure platform at the moment. Which is obviously a
problem that I'm interested in working on.
> 2) I checked my own personal Android device
> /data/data/com.google.android.location/files and it was empty. This is
> because I have the location features turned off in Android preferences.
> I don't believe there is a similar way to turn the data collection off
> in iOS. Again, I don't mind if this data is there, so long as I can
> choose when to turn on and off its collection.
If you want to use the coarse-grained location provider, Android not
only collects that locally but also constantly sends back information
about the 802.11 bssid and cell tower ids you're around. Given the
performance of the fine-grained location features, I doubt that most
people opt out of this (or even understand what's happening if they don't).
1)
http://paranoia.dubfire.net/2009/12/8-million-reasons-for-real-surveillance.html
- moxie
--
http://www.thoughtcrime.org
More information about the liberationtech
mailing list