Thursday, April 21, 2011

iPhone app that lies about where you've been

So there's this guy who wrote an app that scrubs your iPhone backups and looks for bits about where it's been. Then he made a website about it, and made a big deal out of how this is a security problem, and that Apple is secretly keeping tabs on you or something.

Of course, it's mostly bullshit. But that's how you make a name for yourself in the 'security' field. It's just like a 'real' magic show. You tell the audience what to think, you show off some parlor trick that makes it look like you were right, then lie to the audience about what they just saw.

As a general rule, any time someone comes out of the blue with a 'HOOJ SEKURITEE HOLEZ!!' or something like that, it's to get attention. It's usually not something serious.

But let's look at the claims. He says his app will retrieve detailed information about where you've been, thanks to data stored in the backups of your iPhone. Then he has some movies that 'prove' it.

Unfortunately, he's making a number of assumptions that aren't quite accurate about the state and location of the user's files. That might explain why his app doesn't work on *ANY MAC I OWN*.

That said, it has worked on a number of my friends' Macs, so at least that claim is valid sometimes. There are still a few hurdles that make this a less than serious problem.

A Fully Compromised System

First, it relies on the backups of your iPhone. Do you know what it takes to get to the backup files for your iPhone? Full, unhindered access to your personal files, on your Mac.

The files this app uses are in a section of the Mac's file system that is effectively hidden from every user on a Mac except the owner of the files themselves. That has to be the same user who backed up the iPhone. In other words, had this app worked on my system, it would only work if the user had fully compromised the security on my Mac to begin with.

Plaintext Backups

Also, as stated on his page, if you're using encrypted backups, this isn't an issue at all. He's just trawling the backed-up files and looking for data. If you're not worried about someone gaining full access to your emails, address book, passwords, etc., but you are somehow worried about people finding out where you've been *after* they have all that other info, you should know that you can encrypt your backup files. Every time you plug in your iPhone, it will (normally) open iTunes. There's an option there. It's a checkbox that says, "Encrypt your backups" or something equally hard to figure out. Click it. Problem solved in one step.

Apple Is Not Collecting Anything, You Are

He says "Why is Apple collecting this information?" as if Apple is collecting the information. A backup of every document on your iPhone is a *backup*, it's not magical fairy wishes. It contains copies of the data. Apple isn't collecting it, your computer is collecting it. That's what a backup is. If someone were to steal the backup of my personal files, well, I'd wish them luck getting some of those images out of their head. But whether or not they knew where my iPhone had been would be the least of my worries. I have a hard drive that sits next to my computer, most of the time. I have backups of all kinds of things on there, including emails. I'd be more afraid of that kind of info getting into enemy hands, than my physical location.

Your other apps have to work

Okay, they're backups of files. But why back up this particular info? Well, it turns out that other apps on your iPhone rely on the GPS data, too. For example, if you've used the Maps app to chart your location through the mountains, you can still use that info while you're on the mountain, out of GPS range. It will just show your last location on the mountain. Why? Because it has to use some location. iPhone apps don't stay in memory all the time, so if you didn't launch your Maps app recently, it wouldn't know what your last location was, unless the iPhone was storing it. See how that works?

I'm working with a friend on an app that uses GPS locations also. We're kinda relying on it being able to tell us where we were last time it knew, every time the app runs. We don't store this information, because we know the iPhone is going to give it to us on demand, and that it will at least try to be accurate. In order for this type of app to work, the iPhone absolutely has to store the data somewhere.

Never Take Photos

Besides, all iPhone photos are geo tagged by default. So if they can just get ahold of your photos, that's enough to tell a lot about where you were. And why go to this much trouble? Do you use Foursquare? Do you use Facebook? Those also track (and publicly display) where you've been.

But most annoying to me, as a 100% total Mac Fanboi, is the fact that his shitty app doesn't fracking work on any of my Macs. He's clearly unfamiliar with the awesome that is the Macintosh User Experience™. He's wasted several minutes of my time today with an app that doesn't work, and he's talkin' trash about my favorite platform.

It is interesting, at least to me, that I can get a series of locations I've been from the iPhone. But the list is not complete, or accurate, unfortunately. This is an interesting side effect of how Apple's iPhone collects GPS data, but it is by no means a serious security issue, or even a reliable source of information.


No comments: