Saturday, April 23, 2011

Android also collects users' location data -researcher

04/22/2011 | 10:23 PM

It's not just Apple that exposes data on the whereabouts of the owner of mobile devices running the iOS operating system - Google's Android does it too, according to a controversial researcher.

Samy Kamkar said that Android Map exposes the data Google has been collecting from "virtually all" Android devices and Street View cars.

"Android Map exposes the data that Google has been collecting from virtually all Android devices and Street View cars, using them essentially as global wardriving machines. When the phone detects any wireless network, encrypted or otherwise, it sends the BSSID (MAC address) of the router along with signal strength, and most importantly, GPS coordinates up to the mothership," he said in an entry on his site.

The "mothership" in this case was Google, he said.

A BSSID is the Basic Service Set Identifier or the Media Access Control (MAC) address, a unique physical identifier for networks.

Earlier this week, two researchers disclosed a hidden file in iPhones, iPads and devics running iOS 4 and later - "consolidated.db" - secretly records the owner's whereabouts.

The file is unencrypted and can be synced to a computer running Apple's iTunes software.

A separate story on the Wall Street Journal (WSJ) said that documents showed that Apple and Google smartphones regularly transmit their locations back to Apple and Google, respectively.

"Google and Apple are gathering location information as part of their race to build massive databases capable of pinpointing people's locations via their cellphones. These databases could help them tap the $2.9 billion market for location-based services—expected to rise to $8.3 billion in 2014, according to research firm Gartner Inc.," it said.

The WSJ story quoted Kamkar as saying an HTC Android phone collected its location every few seconds and transmitted the data to Google at least several times an hour.

It also quoted Kamkar as saying that the phone transmitted the name, location and signal strength of any nearby Wi-Fi networks, as well as a unique phone identifier.

Google declined to comment on the findings, the WSJ said.

The WSJ noted that the data that Kamkar observed being transmitted on Android phones did not include personal information.

For its part, Apple said that it intermittently collects location data, including GPS coordinates, of many iPhone users and nearby Wi-Fi networks and transmits that data to itself every 12 hours.

In a July 2010 letter to US state representatives Edward Markey and Joe Barton, Apple detailed what kind location information it collects from device owners.

According to Apple Analyst, the company may “collect and transmit cell tower and Wi-Fi Access point information automatically," and that "this information is batched and then encrypted and transmitted to Apple over a secure Wi-Fi Internet connection every twelve hours."

But even then, location information is only collected when one is using an application that requires his/her location such as Foursquare or Facebook Places, Apple Analyst quoted Apple's letter as saying.

Apple Analyst added that the only exception to this rule is that Apple will automatically collect cell tower information when a GPS-enabled device has location services turned on and is searching for a cellular network, as phones search for a network after dropping a connection or when first powering on.

Markey has since sent a letter to Apple CEO Steve Jobs to explain the data-gathering further.

"Apple needs to safeguard the personal location information of its users to ensure that an iPhone doesn't become an iTrack ... Collecting, storing, and disclosing a consumer's location for commercial purposes without their express permission is unacceptable and would violate current law. That's why I am requesting responses to these questions to better understand Apple's data collection and storage policies to make certain sensitive information can't be left behind for others to follow," a report on CNET quoted Markey as saying.

The WSJ said that, as early as last year, it found some of the most popular smartphone apps using location data and other personal information even more aggressively than this.

In some cases, it said that the apps share the data with third-party companies without the user's consent or knowledge.

Reviewing Kamkar's findings

The WSJ said that it hired a consultant to review the findings of 25-year-old Kamkar who, it said, has a controversial past.

It said that in 2005, Kamkar created a computer worm that caused MySpace to crash, and pleaded guilty to a felony charge of computer hacking in Los Angeles Superior Court, and agreed to not use a computer for three years.

Since 2008, Kamkar has supposedly been doing independent computer security research and consulting, and developed the "evercookie" last year. The "evercookie" is a tracking file that is difficult to remove from computers.

CNET: law enforcers knew of tracking logs

Another story on CNET said that law enforcement agencies had known since at least 2010 that an iPhone or iPad can secretly record its owner's whereabouts.

Computer forensics specialists said such location logs are not merely an open secret and have even become a sales pitch in attracting "customers."

"Among computer forensics specialists, those location logs--which record nearby cell tower coordinates and time stamps and cannot easily be disabled by someone who wants to use location services--are not merely an open secret. They've become a valuable sales pitch when targeting customers in police, military, and intelligence agencies," it said. - TJD, GMA News

No comments: