iOS - The Tile Strikes Back

 Last year I posted about the Tile for Android app here that I felt was tracking a lot of information for just a few days worth of data gen. Over the past year, I've kept the Tile application running on my iOS app to see what would come about it. Oooooo boy was I surprised at how much data this application is collecting AND storing locally on its users. 

So if you're not familiar with Tile, it's a bluetooth gadget tracking application. While they started with small tags you could attach to your keys, they have become engrained in several other companies products such as SkullCandy, Nomad, Bose, Plantronics, and even HP. These products have now incorporated Tile's bluetooth tracking and beaconing systems into them. Let's take a look at some numbers from Tile's website about how many devices and commonly "found." 

One other link I should mention is Tile's Privacy Policy found here. Here's a small quote I found incredibly interesting: 

While the app is running on your device, it periodically transmits your Location Information. This allows us to show you, on your map, the last place your Tile was seen by your device (“Last Place Seen”). It is one of the primary ways Tile helps you find your lost items.

Tile normally only displays the latest Location Information update for each of your Tiles in your app, to provide the Last Place Seen. For Tile Premium users, Location Information for each Tile is displayed in your app for up to 30 days, to support the Location History feature. In both cases, Tile does this so you can find the most recent Location Information for your Tiles, in case you lose them.

Location Information is archived separately from your account data in a way that, alone, it is not associated with your account or registration data using a process called pseudonymization. Tile keeps this archival data so we can answer general questions unrelated to any person, such as “How many Tiles were in London in 2016 versus 2017?”

We may also collect and update Location Information for your Tile(s) from other Tile users who are running the Tile app or from other third parties that are using an app or device that has integrated the Tile functionality (each, a “Tile Finder”) within Bluetooth range of your device. We do this to provide you with the most recent and accurate location of your Tiles, even if they are out of your devices’ Bluetooth range. These updates are fundamental to the Tile Community, which allows Tile Finders to help each other find their lost Tiles. Likewise, your app may anonymously help other community members find their Tiles! The Location Information is reported to Tile owners anonymously and does not identify the owner of a Tile to others and vice versa.

Hmmm. Lots of location information being collected and stored. For years at a time it seems. So how could we use this in our investigations? I'm going to present two scenarios. 

Scenario One: 

Suspect gives to the victim a "Tile" or tile-enabled product as a "gift." Nothing is thought of it other than a nice gesture. Why? Well now the victim is going to install the Tile application on his/her phone, so they can use the gift of course! Next, the suspect slips a tile-enabled product into the victim's bag, car, etc. Since Tile operates with a mesh network allowing users to report when it runs into another user's device, now the suspect has a way to effectively track the victim whenever they would like. 

Scenario Two: 

A device is recovered in the AFU state. The passcode is not known and therefore the location data is locked. However, a tile is found on the subject's keyring. A search of the device's available data shows that the Tile application is installed on the phone! With this, there will likely be location information capture by the Tile application and stored in this state. 

Hopefully your interest in the application's artifacts are now piqued. Let's take a look!

There's a couple of interesting databases that can be found outside of the "normal" location where most people look. Remember that iOS can divide its data into multiple locations. The Data/Application/ folder is the USUAL location where the AppID can be tracked to thanks to the ApplicationState.db. However, the more commonly overlooked area is tracking down a separate AppID to /Shared/AppGroup/. 

Finding the Tile application buried here we can find two separate databases of interest. One will store devices associated with this user's account found in com.thetileapp.tile-DiscoveredTileDB.sqlite. But there's another database that's used to track what device this phone has come into contact with previously. 

This database, the com.thetileapp.tile-TileNetworkDB.sqlite had recorded over 200 devices with device identifiers and set names as well as the local user's information. Part 2 of this post coming later this week will feature custom artifacts in AXIOM for these databases. 

Now, the last post mentioned log data, and I keep talking about location information. So where is it? Just like in the Android app, there's log data galore sitting behind in the main Containers/Application/Data folder if you know where to look! There's a smattering of location and diagnostic information scattered around but for the sake of those post I'm going to focus on the log files found in \private\var\mobile\Containers\Data\Application\[APPID]\Library\log\. There is one main log as well as several .gz zipped log files for historical data. On my device, these logs went back for months and commonly recorded where my devices were as my iOS device would interact with them and other tile devices out in the wild. 

How can we extract just the location information in here? If you have a specific set of latitude or longitude information you can just search for it using a tool like Notepad++. In order to see ALL of the geolocation points though, I like to use Notepad++ to do a Regex Search: <(-?[1-9]+(\.[0-9]+)?,-?[1-9]+(\.[0-9]+)?)> instead to see what can be recovered. In a future post, I'm going to work on a way to export these location points to a more easier to review CSV dataset.

Why would Tile choose to keep this data locally? Well there's a Premium service that will allow you to view your device's history for the last 30 days so this makes sense for a quick rendering of the information. Even WITHOUT a premium account, you can still see a good bit of location data as long as you know where to look.

To summarize our two earlier mentioned scenarios, how can this this help us? Scenario One, our victim hands over their phone, the database and log files are used to see that the user's devices are commonly coming into range of another tile device. This device's ID is sent to Tile who then identifies our suspect's account data. Scenario Two, we use the subject's AFU data to review several location points that may be useful as well as retrieving the user's account data to be sent to Tile for potential additional data. In addition, tracing through the logs and databases may show you OTHER tile devices this user came in contact with as well.

Stay tuned for part 2 where I'll be providing some additional custom artifacts for finding location data, user account info, and registered Tile devices! Until next time!