pith. sign in

arxiv: 1907.00074 · v1 · pith:NZGAQSEYnew · submitted 2019-06-28 · 💻 cs.CR

Forensic Analysis of Third Party Location Applications in Android and iOS

Jason Bays , Umit Karabiyik This is my paper

Pith reviewed 2026-05-25 13:18 UTC · model grok-4.3

classification 💻 cs.CR
keywords forensic analysislocation sharing appsAndroid forensicsiOS forensicsmobile forensicsGPS artifactsdigital evidencethird-party applications
0
0 comments X

The pith

Location sharing apps on Android and iOS retain recoverable records of past user positions.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tests two popular third-party location sharing applications to determine whether they leave location history stored locally on smartphones. Standard forensic extraction tools are applied to both Android and iOS devices to recover any artifacts that could show where a user has been at earlier times. A reader would care because many investigations rely on knowing past locations, and local phone data could supply that information when server logs are unavailable or incomplete. The analysis also flags security issues created by the presence of this data on the device.

Core claim

The authors analyze popular third-party location sharing applications and report that they store location data locally on smartphones. This data can be extracted using industry-standard mobile forensic suites on both Android and iOS platforms and used to reconstruct past positions during investigations.

What carries the argument

Forensic artifact extraction from the apps via industry-standard mobile forensic suites on Android and iOS.

If this is right

  • Investigators could reconstruct timelines of past movements directly from the phone without server access.
  • The same local storage pattern may exist in additional location-related applications.
  • Device users face privacy exposure from retained location records even after the app is closed.
  • Security reviews of these apps should address how location history is protected on the device.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • App developers could reduce risk by limiting or encrypting local location caches.
  • The extraction methods used here could be applied to other categories of location-aware mobile software.
  • Results might differ across app versions or device models, suggesting targeted follow-up testing.

Load-bearing premise

The industry-standard mobile forensic suites correctly identify and extract all relevant location artifacts without significant false negatives or interpretation errors.

What would settle it

Controlled tests in which known location data is entered into the apps and then no matching artifacts appear in the extracted device images.

Figures

Figures reproduced from arXiv: 1907.00074 by Jason Bays, Umit Karabiyik.

Figure 1
Figure 1. Figure 1: Plaintext messages stored in messaging.db [PITH_FULL_IMAGE:figures/full_fig_p005_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: User information stored in plaintext in Life360’s database [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
read the original abstract

Location sharing applications are becoming increasingly common. These applications allow users to share their own locations and view contacts' current locations on a map. Location applications are commonly used by friends and family members to view Global Positioning System (GPS) location of an individual, but valuable forensic evidence may exist in this data when stored locally on smartphones. This paper aims to discover forensic artifacts from two popular third-party location sharing applications on iOS and Android devices. Industry standard mobile forensic suites are utilized to discover if any locally stored data could be used to assist investigations reliant on knowing the past location of a suspect. Security issues raised regarding the artifacts found during our analysis is also discussed.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper examines forensic artifacts from two popular third-party location-sharing applications on Android and iOS devices. It uses industry-standard mobile forensic suites to extract locally stored location data and assesses whether such artifacts could support investigations into a suspect's past locations; it also discusses related security issues.

Significance. If the extraction results and artifact interpretations hold after independent validation, the work would provide concrete, actionable guidance for digital forensics practitioners on a class of apps that is increasingly common. The empirical focus on real devices and commercial tools aligns with the needs of the field, though the absence of raw data tables, error rates, or cross-validation currently limits its utility as a reference.

major comments (3)
  1. [Methods / Abstract] Methods (and Abstract): The central claim that 'valuable forensic evidence may exist' rests entirely on outputs from commercial forensic suites, yet no section describes an independent verification step such as a raw filesystem dump, manual SQLite/Plist parsing, or hash-based confirmation of extracted artifacts. Without this, false negatives or misparsed timestamps/coordinates cannot be ruled out.
  2. [Results] Results section: No data tables, artifact counts, or error analysis are supplied; the text supplies only high-level statements about what the suites 'discovered.' This prevents assessment of completeness or reproducibility.
  3. [Discussion] Discussion of security issues: The paper states that security issues raised by the artifacts are discussed, but provides no concrete examples (e.g., specific permissions, data exposure vectors, or app-version-specific vulnerabilities) that would allow readers to evaluate the claimed risks.
minor comments (2)
  1. [Abstract] The two applications examined are never named in the abstract; this information should appear early.
  2. [Methods] Device models, OS versions, and app versions used in the experiments are not listed; these details are required for reproducibility in forensic studies.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for their constructive comments, which highlight areas where the manuscript can be strengthened. We address each major comment below and commit to revisions that improve clarity, reproducibility, and detail without misrepresenting our original work.

read point-by-point responses

  1. Referee: [Methods / Abstract] Methods (and Abstract): The central claim that 'valuable forensic evidence may exist' rests entirely on outputs from commercial forensic suites, yet no section describes an independent verification step such as a raw filesystem dump, manual SQLite/Plist parsing, or hash-based confirmation of extracted artifacts. Without this, false negatives or misparsed timestamps/coordinates cannot be ruled out.

    Authors: We agree that the manuscript would benefit from explicit discussion of verification. In the revised version we will expand the Methods section to describe the precise configuration and usage of the commercial suites, note any cross-tool consistency checks that were performed, and add a limitations paragraph acknowledging the absence of raw filesystem dumps or manual parsing. The Abstract will be updated to reflect this added context. This follows standard practice in the digital forensics literature but we accept that greater transparency is warranted. revision: yes

  2. Referee: [Results] Results section: No data tables, artifact counts, or error analysis are supplied; the text supplies only high-level statements about what the suites 'discovered.' This prevents assessment of completeness or reproducibility.

    Authors: We accept that the current Results section is too high-level. The revised manuscript will include tables listing the specific artifacts recovered (location entries, timestamps, coordinate values), counts per application and platform, and any notes on extraction completeness or observed inconsistencies. Where quantitative error analysis is feasible from our logs it will be added; otherwise we will state the limitation explicitly. revision: yes

  3. Referee: [Discussion] Discussion of security issues: The paper states that security issues raised by the artifacts are discussed, but provides no concrete examples (e.g., specific permissions, data exposure vectors, or app-version-specific vulnerabilities) that would allow readers to evaluate the claimed risks.

    Authors: We agree that concrete examples are required. The revised Discussion will enumerate the relevant Android and iOS permissions observed, describe the local storage paths and file formats that create exposure vectors, and note any version-specific behaviors identified during testing. These additions will be tied directly to the artifacts reported in the Results. revision: yes

Circularity Check

0 steps flagged

Empirical forensic study with no derivations or self-referential claims

full rationale

The paper performs an observational forensic extraction of location artifacts from two mobile apps on Android and iOS using commercial tools. No equations, mathematical derivations, fitted parameters, predictions, or uniqueness theorems appear in the work. Claims rest on reported artifact locations and contents rather than any chain that reduces outputs to inputs by construction. Self-citations, if present, are not load-bearing for any central result. This matches the default expectation of no significant circularity for an empirical study.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Empirical forensic study; contains no free parameters, mathematical axioms, or invented entities.

pith-pipeline@v0.9.0 · 5630 in / 845 out tokens · 29116 ms · 2026-05-25T13:18:53.872453+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

20 extracted references · 20 canonical work pages

  1. [1]

    Ubiquitous smartphones, zero privacy,

    C. Rose, “Ubiquitous smartphones, zero privacy,” Review of Business Information Systems , vol. 16, no. 4, pp. 187–192, 2012

    work page 2012

  2. [2]

    Smartphone os

    I. T. premier global market intelligence company, “Smartphone os.”

    work page

  3. [3]

    Third party application forensics on apple mobile devices,

    A. Levinson, B. Stackpole, and D. Johnson, “Third party application forensics on apple mobile devices,” in System Sciences (HICSS), 2011 44th Hawaii International Conference on , pp. 1–9, IEEE, 2011

    work page 2011

  4. [4]

    Evaluating the privacy of android mobile applications under forensic analysis,

    C. Ntantogian, D. Apostolopoulos, G. Marinakis, and C. Xenakis, “Evaluating the privacy of android mobile applications under forensic analysis,” Computers & Security , vol. 42, pp. 66–76, 2014

    work page 2014

  5. [5]

    Location based services using android mobile operating system,

    A. Kushwaha and V . Kushwaha, “Location based services using android mobile operating system,” International Journal of Advances in Engi- neering & Technology , vol. 1, no. 1, p. 14, 2011

    work page 2011

  6. [6]

    Expanding the potential for gps evidence acquisition,

    C. Strawn, “Expanding the potential for gps evidence acquisition,” Small Scale Digital Device F orensics Journal , vol. 3, no. 1, pp. 1–12, 2009

    work page 2009

  7. [7]

    Allan, Geolocation in IOS

    A. Allan, Geolocation in IOS . ” O’Reilly Media, Inc.”, 2012

    work page 2012

  8. [8]

    Reiber, Mobile F orensic Investigations: A Guide to Evidence Collec- tion, Analysis, and Presentation

    L. Reiber, Mobile F orensic Investigations: A Guide to Evidence Collec- tion, Analysis, and Presentation . McGraw-Hill Education Group, 2016

    work page 2016

  9. [9]

    Malicious android applications in the enterprise: What do they do and how do we fix it?,

    X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos, “Malicious android applications in the enterprise: What do they do and how do we fix it?,” in Data Engineering Workshops (ICDEW), 2012 IEEE 28th International Conference on, pp. 251–254, IEEE, 2012

    work page 2012

  10. [10]

    Comparing sources of location data from android smartphones,

    M. Spreitzenbarth, S. Schmitt, and F. Freiling, “Comparing sources of location data from android smartphones,” in IFIP International Conference on Digital F orensics, pp. 143–157, Springer, 2012

    work page 2012

  11. [11]

    What happens when you press that button?,

    U. Explaining Cellebrite, “What happens when you press that button?,”

    work page

  12. [12]

    Investigating social networking applications on smart- phones detecting facebook, twitter, linkedin and google+ artefacts on android and ios platforms,

    F. Norouzizadeh Dezfouli, A. Dehghantanha, B. Eterovic-Soric, and K.- K. R. Choo, “Investigating social networking applications on smart- phones detecting facebook, twitter, linkedin and google+ artefacts on android and ios platforms,” Australian journal of forensic sciences , vol. 48, no. 4, pp. 469–488, 2016

    work page 2016

  13. [13]

    Android rooting: Methods, detection, and evasion,

    S.-T. Sun, A. Cuadros, and K. Beznosov, “Android rooting: Methods, detection, and evasion,” in Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices , pp. 3–14, ACM, 2015

    work page 2015

  14. [14]

    A simple cost-effective framework for iphone forensic analysis,

    M. I. Husain, I. Baggili, and R. Sridhar, “A simple cost-effective framework for iphone forensic analysis,” in International Conference on Digital F orensics and Cyber Crime , pp. 27–37, Springer, 2010

    work page 2010

  15. [15]

    A critical review of 7 years of mobile device forensics,

    K. Barmpatsalou, D. Damopoulos, G. Kambourakis, and V . Katos, “A critical review of 7 years of mobile device forensics,” Digital Investigation, vol. 10, no. 4, pp. 323–349, 2013

    work page 2013

  16. [16]

    Using ios 11.2-11.3.1 electra jailbreak for iphone physical acquisition,

    O. Afonin, “Using ios 11.2-11.3.1 electra jailbreak for iphone physical acquisition,” Jul 2018

    work page 2018

  17. [17]

    Comparative evaluation of mobile forensic tools,

    J. Alhassan, R. Oguntoye, S. Misra, A. Adewumi, R. Maskeli ¯unas, and R. Damaˇseviˇcius, “Comparative evaluation of mobile forensic tools,” in International Conference on Information Theoretic Security , pp. 105– 114, Springer, 2018

    work page 2018

  18. [18]

    Quick start guide for populating mobile test devices,

    R. Ayers, B. Livelsberger, and B. Guttman, “Quick start guide for populating mobile test devices,” NIST Special Publication , vol. 800, p. 202, 2018

    work page 2018

  19. [19]

    Forensics acquisitio- nanalysis and circumvention of samsung secure boot enforced common criteria mode,

    G. Alendal, G. O. Dyrkolbotn, and S. Axelsson, “Forensics acquisitio- nanalysis and circumvention of samsung secure boot enforced common criteria mode,” Digital Investigation, vol. 24, pp. S60–S67, 2018

    work page 2018

  20. [20]

    Jailbroken iphone forensics for the investigations and controversy to digital evidence,

    Y .-T. Chang, K.-C. Teng, Y .-C. Tso, and S.-J. Wang, “Jailbroken iphone forensics for the investigations and controversy to digital evidence,” Journal of Computers , vol. 26, no. 2, 2015

    work page 2015