Partners Divided On iPhone Geotracking Flaw

News that Apple's iPhone and iPad store users' geolocation information, both on the devices and on unencrypted files, has raised strong concerns from advocacy groups, but security solution providers are divided on the privacy implications of the flaw.

Apple came under fire earlier this week after it came to light that unencrypted data containing mobile location tracking information was stored on users' iPhone 4s and iPads, as well as on the computers used for device synchronization.

The unencrypted data consists of latitude and longitude co-ordinates and timestamps, and records MAC addresses of Wi-Fi access points near the device owners, and reveals the travels and specific geographic locations of the user -- sometimes within the second they arrive. The geotracking information is then stored without user notification. Apple has yet to state how it plans to address the flaw.

The recently illuminated Apple iPhone and iPad geotracking capabilities have raised strong privacy concerns from some users and watchdog groups, who assert that the flaw could put millions at risk from hackers or anyone else with access to the devices. Subsequently, Apple could be facing future privacy litigation as details of the flaw, and ultimately the implications of the data collections, unravel over time.

The breach is reminiscent of a Google incident last year in which its Street View cars unintentionally captured users' data , including e-mail addresses and contents of messages from open Wi-Fi networks, without their knowledge or consent as they drove by.

Rich Hyde, director of sales for Whitehall, Penn.-based EZMicro, said that he had serious concerns about the ramifications of a major company, such as Apple, tracking and gathering geolocation data on its users.

"It's the ultimate big brother watching, being able to track every place you've been," Hyde said. "Get it off the OS. If there's any need to track your whereabouts, like in a kidnapping or emergency, the cell companies can do that with the towers."

Hyde said that for example, if stolen or sold, the captured location data could potentially be used by companies to track the comings and goings of competing sales people. "If they could see where a top sales person is going, they could pick out top clients pretty quickly. I'm sure companies would pay top dollar for that lead list," he said. "To track every single person, that's too much marketing information. It can get abused just like everything else."

However, at least one security solution provider said that he had "mixed emotions" about the flaw.

David Sockol, CEO of Santa Clara, Calif.-based Emagined Security, said that he wasn't too worried about the iPhone tracking flaw, mostly because he said the device was still under the owner's control and he had yet to see proof that Apple actually planned to do anything with the captured data.

"For the most part, the device is still in the iPhone owners' control. Even though they don't have access to get at the data or delete the data, it wasn't like Apple was taking the data off and doing something with it," Sockol said. "GPS units store the same data. Does that bother me? Not really. In this case, we just didn't know if was going on."

Next: Consumer Devices In Workplace Top Of Mind For CISOs

However, Sockol said that security issues around consumer devices, in particular the iPhone and iPad, have become top of mind with customers' CIOs over the last year.

"2011 and 2012 are definitely the years for corporations to figure out how they enable the use of smart mobile technologies," he said. "There are projects all over the place. Companies are trying to figure out how they're going to enable the iPhone and iPad. These companies are starting to move away from always having to purchase their own corporate technology and force the users to use it, and move into more 'how are we going to allow the user to buy their own technology and bring it in our environment?'"

Sockol said that the anticipated migration to iPhones, iPads and other consumer devices in the enterprise will likely open up untold opportunities for solution providers, particularly on the security front, starting with consulting and assessment services and followed by actual implementation services.

"Corporations are starting to assess how they are going to enable this," he said. "There are lots of questions that they just can't answer easily right now. And I think we're going to find new technologies available to resell in to the market."