Peter Warden and Alasdair Allan revealed their findings on Wednesday, in which they discovered that both the iPhone and 3G iPad are "regularly recording the position" of the device and saving them in a hidden file. The data is restored through iTunes with backups, and even across device migrations.
The researchers have concluded that Apple's collection of the data is "intentional," and contacted the company's product security team in an effort to find out the company's reasoning. They did not receive a response.
"What makes this issue worse is that the file is unencrypted and unprotected, and it's on any machine you've synched with your iOS device," Allan wrote. "It can also be easily accessed on the device itself if it falls into the wrong hands. Anybody with access to this file knows where you've been over the last year, since iOS 4 was released."
Location data is stored to a file called "consolidated.db," which includes latitude and longitude coordinates and a timestamp. The researchers said that while the coordinates are not "always exact," they are "Pretty detailed."
"There can be tens of thousands of data points in this file, and it appears the collection started with iOS 4, so there's typically about a year's worth of information at this point," Allan wrote. "Our best guess is that the location is determined by cell-tower triangulation, and the timing of the recording is erratic, with a widely varying frequency of updates that may be triggered by traveling between cells or activity on the phone itself."
The researchers have also made it clear there is no evidence to suggest that the data is being sent to anyone. They have provided a public tool that allows users to look at their own stored location data.
For now, users can encrypt their backups through iTunes. This can be accomplished by connecting an iPhone or 3G iPad to a Mac or PC, clicking on the device within iTunes, and then checking the "Encrypt iPhone Backup" setting in the "Options" area.