iOS devices for a long time, like other devices, track your location based on your preferences. Cell carriers for years have kept data which matches user>handset>tower, but government could only access it via a court order. This has only been complicated by the use of GPS location services which a host of applications and companies use for various purposes. This occurs many times without the user fully understanding the implications. A malicious actor having physical access to the device can access location data, thus administrators and users should consider these new risk and mitigation methods.
Apple iPhones keep a sqlite database of your locations based on Wifi and Cell Tower information, this information is not shared but physical access to your device or computer can allow access by a malicious actor.
Risk re-evaluation specific to iOS devices but consider points for all mobile devices:
- This is nothing new, a host of services use location information and you need to consider the risk individually.
- If the iOS devices is stolen a thief can access this data on your iPhone along with a host of other data on your phone.
- Backup's of iOS devices which are not encrypted will allow a user with access to your computer to extract information about your iPad or iPhone including location information related to cell towers and WiFi networks. (Roughly where you have been.)
- Remove all iOS backups from all Backup Tapes or TimeMachines.
- iOS devices used by high profile employees overseas may become the targets of attacks specifically to gain access to their iPhones to determine their movements.
- Backups in iTunes of iOS devices are not encrypted by default.
- iOS devices may not be registered to wipe data remotely or with Passcode Lock.
- The collection of data is not shared with Apple unless the user opts-in for location services.
- Various phones and applications use location services, consider the risk before opt-in.
What users should do to mitigate risk:
- If traveling with an iOS device and laptop make sure to remove all old backups and then create a new encrypted backup.
- If traveling overseas consider leaving your iPhone at home or be prepared to destroy the device.
- Sign up for Find My iPhone so you can remotely wipe and lock the device.
- Do not Sync your iPhone on any public computers or computers outside your trust zone.
- Use the Passcode Lock feature and make sure to use numbers and letters 12 characters or more.
- Remove old backups of iOS devices from all machines, backups and TimeMachine backups.
- Create a new backup of iOS devices which are encrypted.
- Review who and how you share location services, not all of it is bad and can be useful for certain business functions.
Consider these risk and re-evaluate regularly. Alex Levinson has a really good write up about the subject and we included a dump of SELECT * FROM sqlite_master where type='table', please visit the reference links for more information.