Apple Knows Where You Are: Sniffing the iPhone Location Service in 1.1.3

When Apple announced yesterday that the iPhone would now be “location-aware” with the release of their 1.1.3 software, I was curious how they had done it.

I’ve been working with location information quite closely (see Twittervision, for example) for the last year or so and have had some conversations with different companies about how Apple might geo-enable the iPhone.

There are three options available:

  • GPS
  • Cell Tower ID
  • Wifi Access Points

GPS is not an option at present. E911 laws in the US have required carriers to provide location information for some time, but that could be via GPS or from cell tower triangulation data. TruePosition makes this their entire business, and is the primary location information provider for AT&T and T-Mobile in the US. A pretty cozy gig, eh? They do this by way of tracking cell tower information within the network, from what I understand.

GPS may be an option later if Apple adds an AGPS (assisted GPS) chipset to the iPhone or supports external Bluetooth GPS units, but external bluetooth will never be a true mass market phenomenon, and AGPS is at least going to have to wait for the next iPhone refresh, probably not til next year.

Cell Tower ID is another option. Carriers know where their cell towers are (we hope), and by comparing the signal strength and the intersection of multiple cell tower antenna distribution patterns, you can make a pretty fair guess about where the user is. It’s not always spot-on accurate, but it’s pretty close.

Wifi AP’s are the third option. There are millions of Wifi AP radios running around the world at this point, and for the most part, they tend not to move around that much. They do, however, come and go from time to time. However, there are a lot of them, and with a modest investment in driving around populated areas, one could build up a pretty accurate database of what APs are where. Then they could sell that database to people who want to know where their Wifi client radios are.

This is exactly what my friends up at Skyhook Wireless have done. You can try out their Loki service for your laptop (Firefox/IE plugin). Suddenly, if you have Wifi, you also have a pseudo-GPS capability.

Judging by the fact that Skyhook invited me to stop in and see them today at MacWorld (which I would have loved to do, but am sadly unable due to my being at home in Maryland this week), it seems Skyhook got the contract to provide some location data to Apple. Apparently, the iPhone uses both Cell Tower ID and Wifi (Skyhook) data for location, while the iPod Touch uses Skyhook exclusively. Good Job, guys!

This explains why when I went to see Skyhook in June and said that a company like Apple might be very interested in their technology, there was a definitive “no comment.” This happens a lot; companies like to protect what might be a very early-stage negotiation, or even an intention, a lot of the time. But in this case it looks like Skyhook bagged what might be their killer deal.

Yesterday, I succumbed to the hype and “Revirginized” my iPhone (we had been engaged in some unsavory hacking) so I could safely install the new 1.1.3 software update that Steve said would be available. The revirginizing and upgrade went as clean as could be, and now my phone is running 1.1.3.

I thought I might “inspect” what the phone is doing when you do a location lookup. I have a bunch of resources on my home network, including a multipurpose Linux server, so I thought if I could pass the iPhone’s traffic through the Linux box, some tools like ngrep and tcpdump might reveal what exactly happens when the iPhone tries to position itself.

Well, turns out I was mostly right. In typical Apple fashion, though, they’re keepin’ it real with HTTPS, revealing nothing very interesting about how the location information works.

The iPhone is 192.168.1.199 and my proxy is 192.168.1.10.

Here’s what I saw:

T 192.168.1.199:49311 -> 192.168.1.10:2525 [AP]CONNECT iphone-maps.apple.com:443 HTTP/1.0.Host: iphone-maps.apple.com.User-Agent: Apple iPhone v1.1.3 Maps v1.0.0.4A93.

T 192.168.1.10:2525 -> 192.168.1.199:49311 [AP][..HTTPS DATA...]

T 192.168.1.199:49311 -> 192.168.1.10:2525 [AP][..HTTPS DATA...]

So, alas, nothing to see here, really… move along. However, we do now know that Apple is grabbing data from the phone via HTTPS, processing it network-side, and rendering a response to the phone about its position. We do not, for example, see a variety of calls to Skyhook, Google, or elsewhere, which is not inconceivable without verifying it.

After the HTTPS call, we see this unencrypted call:

T 192.168.1.199:49313 -> 192.168.1.10:2525 [AP]POST http://iphone-wu.apple.com/glm/mmap HTTP/1.1.Accept: */*.Accept-Language: en.Accept-Encoding: gzip, deflate.Cookie: s_vi=[CS]v1|46B904DB00003607-A290B210000599B[CE]; s_nr=1199572400032.User-Agent: Apple iPhone v1.1.3 Maps v1.0.0.4A93.Content-Type: application/x-www-form-urlencoded.Content-Length: 145.Connection: keep-alive.Proxy-Connection: keep-alive.Host: iphone-wu.apple.com.

...

T 192.168.1.199:49313 -> 192.168.1.10:2525 [AP]..*..m..DN..en_US..com.apple.iphone.1.0.0.4A93......@.......?...&_...>....&`...>.......&]...>....&^...>....&\...>....&_...>....&[...>....&`...>.

T 192.168.1.10:2525 -> 192.168.1.199:49313 [AP]HTTP/1.1 200 OK.Date: Wed, 16 Jan 2008 12:38:31 GMT.Server: GFE/1.3.Content-Type: application/binary.Content-Length: 113.Cache-control: private.Connection: close.

Not sure what this all is, but it looks like it has my iPhone serial number in there. It’s so nice that Apple wants to know so much about my phone, its serial number, its position. Why, if DHS ever has any doubts about me, perhaps they could simply just ask Apple? Maybe they know where I am.

What is Apple’s position (pun intended) on customer privacy, now that they seem to be in the location data business?

Other firms like Boost Mobile’s Loopt service have gone to great (ridiculous) lengths to inform their customers about location data privacy and to protect collected data. So as to avoid potential problems, Loopt does not even save a location track for its users, but instead stores only the current location of the user. (This was the case when I spoke with them in May 2007.) They figure this makes them less of a honeypot for DHS types, and keeps their customers happy.

I have never believed that consumers are as paranoid about location data as the press (and the most paranoid among us) would have us believe. Most people are willing to generate, share, and publish some limited amount of location data if it provides some value to them in return and they can control the data sufficiently.

What seems like a simple software update for the iPhone is actually the consent of millions (4M+ according to Steve) of users to potentially publishing their location information. And not just for the iPhone, but for the iPod Touch as well.

Now the question is what a theoretical 1.2.0 software release might hold: location of your iChat buddies? Location-enabled Twitter clients (using the Twittervision API)? Your friends conveniently plotted on the Google Maps client? All of this is now theoretically possible with the iPhone and iPod Touch now, and Apple holds the keys.

It will be very interesting to see how the iPhone SDK (Software Development Kit) works next month. If Apple opens up this location service to third party developers, we can expect to see some very interesting applications emerge this year.

The fact that the location service is not down to meter-accuracy is irrelevant (it put me, alternately, within a few feet of my house and across the river at the Annapolis Mall — I suspect because it was alternating between an accurate Wifi position and a more general cell tower position). To make social location services work, all we really need to know is generally where someone is (nearby) and that they are really there (device has reported location).

There are plenty of apps where approximate location is sufficient (stores nearby, friends nearby, homes for sale nearby, etc). Only for driving-direction or aviation applications do you need meter-accuracy. A later update to the iPhone hardware with an AGPS chipset will solve that problem, but even without that, this opens up an amazing array of possibilities.

Mostly, great credit should go to Apple for pushing out a technology so seamlessly, so effortlessly, that so many others have found so problematic and full of legal and perceived landmines. This is a big deal. Skyhook, Loopt, uLocate, Nokia, Navizon, and dozens of others have been grasping for this holy grail for some time, and they’ve been told variously that it’s “impossible to get the data,” or that “consumers won’t go for it”, or that “no one would fund it.”

Apple did it via iTunes with a software update. Agree? Kudos, Steve.

4 comments ↓

#1 doylewalt on 01.16.08 at 2:21 pm

Thorough and thoughtful post Dave – agree with you on all fronts. It will be interesting to see how “open” location becomes with the SDK release and/or at what cost.

Best –

Walt

#2 rodbegbie on 01.17.08 at 9:17 pm

What makes you think your serial number is being reported to Apple? I don’t see anything in that sniff that resembles a iPhone serial number.

If you’re referring to the “s_nr” field: Can you check whether or not it is always the same value whenever you use it, and if it is unique to your phone?

#3 Dave Troy on 01.17.08 at 9:47 pm

rodbegbie – I agree that it’s not clear what the nature of those fields are. I have a hard time believing, though, that there is not some piece of information transmitted that can not be correlated to my identity.

In fact, in the case of the SSL transmissions, there is no way to verify it at all. Apple’s lack of a definitive disable mechanism for location services is also at odds with their SLA.

I will be following up on this in the next few days, as you suggest, to see if we can understand a little better what the transmitted information is. In the meantime, I hope this starts some conversation and investigation into the topic.

#4 jason on 12.15.08 at 8:21 pm

well iPhone’s security is a little lame… was reading an article here http://www.greyhatindia.com/2008/12/16/protect-your-iphone-from-getting-sniffed-on-wifi/ which clearly scared me about using the iPhone email on the Public APs

let’s see if apple does something in the future