LBS security: it's serious

John C. Tanner
17 May 2011

Last month was a fun one for the location-based services sector, as we all learned the shocking truth that knowing your location on a mobile phone map involves the handset actually knowing where you are.

I mean, who could have possibly seen that coming?

I'm being snotty, I know. I just found last month's media/blog freakout over iPhones and Android phones "tracking" users humorous in the sense that so many users expressed shock that phones that have had GPS chips and mapping apps worked by keeping track of your location and storing the data locally for when you pass through the same location more than once.

Of course, the actual scary bit wasn't so much the tracking part as the security risk unveiled with it.

To summarize:
Forensic researcher Alex Levinson figured out that you could create a map showing where your iPhone has been via a location cache file on the device. Shortly afterward, security researchers Pete Warden and Alasdair Allan released an app that could take that info and map it out for you. Shortly after that, developer Magnus Eriksson demonstrated that Android smartphones store the same type of data.

Which sounds sinister - hence the initial sensationalist headlines, many of them thanks to US politicians demanding to know why Apple and Google were doing this - but is apparently designed to gather data for a location database that helps both companies improve their LBS capabilities.

The bigger problem is that the files are apparently unencrypted by default. They do require root access to read, but anyone who can get root access can read them easily and map out the data. According to an Ars Technica report, this is a slightly bigger problem for Apple than for Android, because iPhones and iPads create backup files of the location data on a user's computer whenever the devices are synced to iTunes - which means someone could access the file without actually having access to the iPhone. The same file for Android would have to be accessed directly from the handset.

Another difference - Android collects less data and for shorter time periods. According to Eriksson, Android limits its cache to the 50 most recent entries for cell tower triangulation and 200 entries for Wi-Fi locations, with older data overwritten by new data. The iPhone data, by contrast, appears to store everything up to ten months, according to

Both Apple and Google have said that the data is anonymized to prevent users from being identified, but that might not matter much if the bad guy knows whose iPhone they nabbed.

It's about trust

The good news is that this is fixable from a security standpoint. The bad news is that it's unlikely to hurt (or even slow down) smartphone sales or apps download rates - which is bad in the sense that some players in the mobile value chain may conclude they have less incentive to take this sort of thing seriously.

Hopefully, however, the outrage and fallout over this latest incident will make clear to Apple, Google, cellcos, apps developers and everyone in the mobile value chain that location-based services thrive on trust more than ever before, and that needs to be taken seriously - not least because the LBS market is only going to get bigger on the handset front alone. According to Berg Insight, global shipments of GPS-enabled GSM/W-CDMA handsets increased almost 97% in 2010 to 295 million units, and will grow at almost 29% CAGR to reach 940 million units by 2015.

The more common location-enabled devices become, and the more powerful they become in terms of how much data they can store, and the more users are able to unwittingly create these massive digital footprints of themselves, the more that everyone in that value chain needs to ensure that the data in that footprint is protected - not just from criminals, but unscrupulous marketers, corrupt police agencies, psychotic ex-boyfriends/girlfriends and whoever else might misuse such information.

Related content

No Comments Yet! Be the first to share what you think!