iOS Location Services and System Services ON or OFF?

A few weeks ago, I started working on a blog researching whether the device speed recorded in an iPhone database could be considered reliable and accurate. I was going to discuss some device settings in the blog, but I quickly learned the Location Services and System Services settings should be discussed in a bit more detail and decided to write a two-part blog. In part-one, I will be discussing the how to determine if specific application Location Services is ON or OFF and if System Services were turned ON or OFF when the data was acquired. In part-two, I will be discussing how those settings could affect the device speed that is recorded in the iPhone database. 

Forensic Question:

After an iPhone data acquisition, can we determine if Location Services was ON or OFF and which System Services were ON or OFF

Note: There has been previous research published about these settings, but it appears, based on what I have found, the research is a few years old. Here is a link to a SANS presentation by Sarah Edwards discussing her research for some of these settings:

SANS iOS Location Forensics Sarah Edwards @iamevltwin

Test Devices:

  • Apple iPhone 6s Plus MKV22LL/A A1687 – No Sim Card and no Mobile data
  • Apple iPhone Xs MTAL2LL/A A1920 – Has SIM card and mobile data

OS Versions:

  • iOS: 14.4.2 (18D70)
  • iOS: 14.6 (18F72)
  • iOS: 14.7.1 (18G82)
  • iOS: 15.0 (19A346)

Tools:

  • Cellebrite UFED 4PC 7.47.0.247
  • Cellebrite Physical Analyzer 7.47.0.58, 7.48.0.49 & 7.48.1.3
  • Magnet AXIOM 5.4.0.26185
  • ArtEx 1.6.0.0 & 2.0.0.4

Artifact Location:

  • \private\var\mobile\Library\Preferences\com.apple.locationd.plist
  • \private\var\root\Library\Caches\locationd\clients.plist

Extraction Methods that contained both com.apple.locationd.plist and clients.plist:

  • Cellebrite Advance Logical Full File System UFED 4PC – Checkra1n
  • Cellebrite Advance Logical Extraction – UFED 4PC
  • Magnet AXIOM Full Acquisition – Checkra1n
  • Magnet AXIOM Quick Extraction
  • ArtEx ArtExtraction – Full Extraction – Checkra1n
  • ArtEx ArtExtraction – Live Connection – Checkra1n

Settings > Privacy:

To check if Location Services is ON or OFF, you will navigate to Settings > Privacy. In Figure 1 Location Services is ON.

Figure 1

After the device data is acquired, how can we determine if Location Services was ON or OFF? The plist of interest is com.apple.locationd.plist.

This plist is located here: \private\var\mobile\Library\Preferences\

Once locating the plist, you will want to analyze the LocationServicesEnabledIn8.0 key which will have a True or False value.

  • True value means Location Services is turned ON
  • False value means Location Services is turned OFF

You will also want to analyze the LastSystemVerson key. This key will list the last/current iOS version, in this case it was iPhone OS14.4.2/18D70.

In Figure 2, Location Services is ON. We can see the com.apple.locationd.plist, the keys previously mentioned and their values.

Figure 2
Figure 2.1 iOS 15.0

In Figure 3, Location Services is OFF. We can see the com.apple.locationd.plist, the keys previously mentioned and their values.

Figure 3

Privacy > Location Services:

After determining Location Services was ON, we will review some of the applications using location services. Clicking on the Location Services button within the Privacy menu will bring us to a menu pictured in Figure 4. The applications listed are those using Location Services and a brief glimpse into the application settings. Notice in Figure 5, the applications pictured are all set to While Using the App. Let’s begin analyzing the Maps application.

Figure 4

When we click on the Maps application, we are presented with a new set of Location Services settings, seen in Figure 5. The settings for Maps are set to Allow Location Access While Using the App and Precise Location is ON.

Figure 5

Note: Please read through the resources for additional details about the differences when Precise Location is ON or OFF. When it is OFF it is also known as Reduced Accuracy.

We are going to review the plist that contains the Apple Maps Location Services settings to determine what was set when the device data was acquired. The plist of interest is the clients.plist. This plist is located here: \private\var\root\Library\Caches\locationd\.

The clients.plist contains the settings for applications and system services using location services. During this section of the blog, I will be focusing on the application settings for location services. In Figure 6, I have highlighted two applications, Apple Maps – com.apple.Maps and Apple Calendar – com.apple.mobilecal.

Figure 6

After reviewing the Apple Maps (com.apple.Maps) settings, seen in Figure 7, we can see the Maps application is set to Never Allow Location Access. Notice there is not an option to change between Precise Location or Reduced Accuracy.

Figure 7

Within the clients.plist, you will want to find the application you wish to analyze. During testing, I used ArtEx and Mushy to view the plist. To view the keys listed under the application, I had to click on the applications, in this instance that was com.apple.Maps. Depending on your plist viewing tool, you should expand the keys belonging to the application you are analyzing. The keys you will want to analyze are Authorization and CorrectiveCompensationEnabled, seen in Figure 8.

The Authorization key is the setting for Allow Location Access. During testing, I encountered two key values. I also found in some instances the Authorization key was missing or hidden:

  • 1 = Never
  • 2 = While Using the App
  • When the Authorization key is missing/hidden = Ask Next Time

Note: The Weather application had two settings that appeared to be similar. The two settings were While Using the App and While Using the App or Widgets. Both settings had a value of 2 in the plist during testing.

The other key we want to analyze is the CorrectiveCompensationEnabled key, which is the setting for Precise Location. During testing, I encountered two key values:

  • 1 = Precise Location is turned ON
  • 2 = Precise Location is turned OFF or not set.

Note: A value of 2 indicates Reduced Accuracy

Note: During testing there were occasions when both the Authorization key and the CorrectiveCompensationEnabled key were missing/hidden. I believe, in some instances, this was because the setting was never changed from the default setting. After I made changes to the settings, the keys would then be listed in the plist. I believe there might be other factors that would cause the keys to be missing/hidden, but I was not able to determine all the factors during testing. An example of this displayed in Figure 10.

Test 1 Device Settings as seen in Figure 7 and 8:

  • Never is selected
  • Precise Location is missing/hidden

clients.plist keys:

  • Authorization value 1
  • CorrectiveCompensationEnabled value 2
Figure 8

Test 2 Device Settings as seen in Figure 9 and 10:

  • Ask Next Time is selected
  • Precise Location was OFF

clients.plist keys:

  • Authorization is missing/hidden
  • CorrectiveCompensationEnabled value 2
Figure 9
Figure 10

Test 3 Device Settings as seen in Figure 11 and 12:

  • Ask Next Time is selected
  • Precise Location was ON

clients.plist keys:

  • Authorization is missing/hidden
  • CorrectiveCompensationEnabled value 1
Figure 11
Figure 12
Figure 12.1 iOS 15.0 Camera settings

Test 4 Device Settings as seen in Figure 13 and 14:

  • While Using the App is selected
  • Precise Location was ON

clients.plist keys:

  • Authorization value 2
  • CorrectiveCompensationEnabled value 1
Figure 13
Figure 14

Test 5 Device Settings:

At the end of testing, the Apple Maps Location Services were set as While Using the App and Precise Location was ON. In a final test, I changed the setting from While Using the App to Never. When I made the change, the Precise Location toggle switch disappeared but was still in the ON position.

I believed, from previous testing, the Authorization value was going to be 1 and the CorrectiveCompensationEnabled value was going to be 2, but that was not the case. The Authorization value was 1, as expected, but the CorrectiveCompensationEnabled value was 1, indicating it was using Precise Location. I did not test to determine if the Precise Location was being used or not, just wanted to note this variation could appear in your data.  

Now that we have analyzed specific application Location Services, I will review what I discovered when testing the System Services settings.

Figure 15

Note: Please review, https://support.apple.com/en-us/HT207056, as it outlines some of the System Services. 

Location Services > System Services:

In Location Services > System Services there is a list of items, seen in Figure 15. Notice all the services are turned ON. After the iPhone data was acquired, I was able to determine if items listed under System Services were turned ON or OFF. To do this, we must again view the clients.plist Authorization key. During testing, I encountered two key values:

  • 1 = OFF
  • 4 = ON

In Figure 16, I have highlighted the Routing & Traffic system services button. Based on testing, the Routing & Traffic system services button controls the following services in the clients.plist:

  • com.apple.locationd.bundle-/System/Library/LocationBundles/Traffic.bundle
  • com.apple.locationd.bundle-/System/Library/LocationBundles/AltimeterHarvest.bundle
  • com.apple.locationd.bundle-/System/Library/LocationBundles/IonosphereHarvest.bundle
  • com.apple.locationd.bundle-/System/Library/LocationBundles/TraceHarvest.bundle
Figure 16

In Figure 17, a screenshot of the clients.plist is opened in Mushy. Notice the com.apple.locationd.bundle-/System/Library/LocationBundles/Traffic.bundle service is expanded and has an Authorization key value of 4, meaning the setting is ON and a CorrectiveCompensationEnabled key value of 1, meaning Precise Location is ON.

Figure 17

I turned the Routing & Traffic setting OFF, seen in Figure 18. When it was turned OFF, the Authorization key in the clients.plist changed from a value of 4 (ON) to a value of 1 (OFF), see Figure 18 and Figure 19:

Figure 18
Figure 19

I was able to identify and match up most of the items listed under System Services to their counterpart listed in the clients.plist, seen in Figure 20. Notice there are some ON/OFF switches that control multiple System Services.

System Services Menuclients.plist
Apple Pay Merchant Identificationcom.apple.locationd.bundle-/System/Library/LocationBundles/PassbookMerchantLookup.bundle
Cell Network Searchcom.apple.locationd.bundle-/System/Library/Frameworks/CoreTelephony.framework
Compass Calibrationcom.apple.locationd.bundle-/System/Library/LocationBundles/CompassCalibration.bundle
Device Managementcom.apple.locationd.bundle-/System/Library/PrivateFrameworks/DeviceManagement.framework
Emergency Calls & SOScom.apple.locationd.bundle-/System/Library/LocationBundles/Emergency SOS.bundle
Find My iPhonecom.apple.locationd.bundle-/System/Library/PrivateFrameworks/FindMyDevice.framework
HomeKitcom.apple.locationd.bundle-/System/Library/PrivateFrameworks/HomeKitDaemon.framework
Location-Based Alertscom.apple.locationd.bundle-/System/Library/LocationBundles/MapsAnnouncements.bundle
Location-Based Alertscom.apple.locationd.bundle-/System/Library/LocationBundles/NavdLocationBundleiOS.bundle
Location-Based Alertscom.apple.locationd.bundle-/System/Library/LocationBundles/RemindersAlerts.bundle
Location-Based Alertscom.apple.locationd.bundle-/System/Library/LocationBundles/CalendarLocation.bundle
Location-Based Alertscom.apple.locationd.bundle-/System/Library/PrivateFrameworks/BulletinBoard.framework
Location-Based Alertscom.apple.locationd.bundle-/System/Library/LocationBundles/Wea.bundle
Location-Based Alertscom.apple.locationd.bundle-/System/Library/LocationBundles/ShortcutsLocation.bundle
Location-Based Alertscom.apple.locationd.bundle-/System/Library/LocationBundles/CarPlayHomeLocation.bundle
Location-Based Alertscom.apple.locationd.bundle-/System/Library/LocationBundles/AppSuggestions.bundle
Location-Based Alertscom.apple.locationd.bundle-/System/Library/LocationBundles/PassbookRelevancy.bundle
Location-Based Alertscom.apple.locationd.bundle-/System/Library/LocationBundles/DestinationdLocationBundleiOS.bundle
Location-Based Suggestionscom.apple.locationd.bundle-/System/Library/PrivateFrameworks/CoreParsec.framework
Motion Calibration & Distancecom.apple.locationd.bundle-/System/Library/LocationBundles/MotionCalibration.bundle
Networking & Wirelesscom.apple.locationd.bundle-/System/Library/PrivateFrameworks/MobileWiFi.framework
Networking & Wirelesscom.apple.locationd.bundle-/System/Library/LocationBundles/UWBRegulatory.bundle
Setting Time Zonecom.apple.locationd.bundle-/System/Library/LocationBundles/TimeZone.bundle
Share My Locationcom.apple.locationd.bundle-/System/Library/PrivateFrameworks/FMF.framework
System Customizationcom.apple.locationd.bundle-/System/Library/LocationBundles/SystemCustomization.bundle
System Customizationcom.apple.locationd.bundle-/System/Library/PrivateFrameworks/ChronoCore.framework
Significant Locationscom.apple.locationd.bundle-/System/Library/LocationBundles/Routine.bundle
Product Improvementclients.plist
iPhone Analyticscom.apple.locationd.bundle-/System/Library/PrivateFrameworks/WirelessDiagnostics.framework
Popular Near Mecom.apple.locationd.bundle-/System/Library/LocationBundles/AppGenius.bundle
Routing & Trafficcom.apple.locationd.bundle-/System/Library/LocationBundles/Traffic.bundle
Routing & Trafficcom.apple.locationd.bundle-/System/Library/LocationBundles/AltimeterHarvest.bundle
Routing & Trafficcom.apple.locationd.bundle-/System/Library/LocationBundles/IonosphereHarvest.bundle
Routing & Trafficcom.apple.locationd.bundle-/System/Library/LocationBundles/TraceHarvest.bundle
Improve MapsCould not identify
Status Bar IconCould not identify
Other Settingsclients.plist
Exposure Notifications – COVID-19com.apple.locationd.bundle-/System/Library/LocationBundles/ExposureNotificationBundle.bundle
Phone Wi-Fi Callingcom.apple.locationd.bundle-/System/Library/LocationBundles/WifiCalling.bundle
Wallet App in Location Services Menucom.apple.locationd.bundle-/System/Library/PrivateFrameworks/PassKitCore.framework
App Clips in Location Services Menucom.apple.locationd.bundle-/System/Library/LocationBundles/ClipServicesLocation.bundle
Siri & Dictationcom.apple.locationd.bundle-/System/Library/PrivateFrameworks/AssistantServices.framework
Figure 20

Note: Some of the items listed in the clients.plist are not listed in System Services menu, they are however listed elsewhere in the general settings menu. Some examples of these settings might be the Do Not Disturb setting, Wi-Fi Calling setting and Exposure Notification setting, just to name a few. Additional Note, in iOS 14.8 Wi-Fi Calling was listed in the System Services menu. These are also listed in iOS 15.0 clients.plist along with a few new ones.

Conclusion:

I am sure you will find other applications and services that have not been discussed in this blog, but I hope this will at least assist you with determining if Location Services is ON or OFF and what System Services might be ON or OFF when the device data was acquired. Knowing these settings should assist you when analyzing iPhone locations and determining why you might have very accurate device locations and/or less than accurate device locations.

If you are curious why it might be important to know these settings, please review part-2 of this blog series where I discuss iPhone locations stored in Cache.sqlite > ZRTCLLOCATIONMO table and how to determine how fast a device was traveling at a particular date and time.

Resources:

June 5, 2018, Vladimir Katalov

December 23, 2018, Sarah Edwards

July 18, 2019, Krista Merry and Pete Bettinger

June 25, 2020, Ryan NHP

July 18, 2020, Ian Whiffin

December 10, 2020, Bryan Ambrose

December 21, 2020 Ian Whiffin

March 26, 2021, Ian Whiffin

Apple Developer Website

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: