Skip to main content
SearchLoginLogin or Signup

iOS Location Services and System Services are they ON or OFF

Published onJul 11, 2022
iOS Location Services and System Services are they ON or OFF
·

Synopsis

Forensics Question:
After an iPhone data acquisition, can we determine if Location Services was ON or OFF and which System Services were ON or OFF

OS Versions:

  • iOS: 14.4.2 (18D70)

  • iOS: 14.6 (18F72)

  • iOS: 14.7.1 (18G82)

  • iOS: 15.0 (19A346) – verified 9/21/2021

iOS 15 Update:

iPhone 6s Plus (iPhone8,2 (A1687)) iOS 15.0.2 FFS Acquisition

iPhone 13 Pro (iPhone14,2 (A2483)) iOS 15.3.1 UFED Advance Logical Acquisition

Both device acquisitions contained the plists needed to analyze if location services were on or off.

Tools:

  • Cellebrite UFED 4PC 7.47.0.247

  • Grayshift GrayKey 1.6.16

  • Cellebrite Physical Analyzer 7.47.0.58, 7.48.0.49 & 7.48.1.3

  • Magnet AXIOM 5.4.0.26185

  • ArtEx 1.6.0.0 & 2.0.0.4

Awhile back, I, started working on some research whether the device speed recorded in an iPhone database could be considered reliable evidence for how fast a device was traveling. I was going to discuss some device settings in the paper, but quickly learned the Location Services and System Services settings should be discussed in a bit more detail and decided to write a separate paper about what I found.

After completing some of the research, I asked Ian Whiffin to review what I have found and asked him to add anything I might have missed. Ian, being the iOS location guru, was happy to assist and was willing to co-author this paper with me. Thanks for everything Ian!!

In this paper we will be discussing how to determine if specific application Location Services is ON or OFF and if System Services were turned ON or OFF when the data was acquired.

Note: There has been previous research published about these settings, but it appears, based on what we have found, the research is a few years old. Here is a link to a SANS presentation by Sarah Edwards discussing her research for some of these settings:

https://youtu.be/MiDWAHCR910

Test Devices:

  • Apple iPhone 6s Plus MKV22LL/A A1687 – No Sim Card and no Mobile data

  • Apple iPhone Xs MTAL2LL/A A1920 – Has SIM card and mobile data

Artifact Location:

  • \private\var\mobile\Library\Preferences\com.apple.locationd.plist

  • \private\var\root\Library\Caches\locationd\clients.plist

Extraction Methods that contained both com.apple.locationd.plist and clients.plist:

  • Cellebrite Advance Logical Full File System UFED 4PC – Jailbroken

  • Cellebrite Advance Logical Extraction – UFED 4PC

  • Magnet AXIOM Full Acquisition – Jailbroken

  • Magnet AXIOM Quick Extraction

  • ArtEx ArtExtraction – Full Extraction – Jailbroken

  • ArtEx ArtExtraction – Live Connection – Jailbroken

  • Graykey Full File System

Settings > Privacy:

To check if Location Services is ON or OFF, navigate to Settings > Privacy. In Figure 1 Location Services is ON.

A screenshot of a phone Description automatically generated with medium confidence

Figure 1

After the device data is acquired, how can we determine if Location Services was ON or OFF? The plist of interest is com.apple.locationd.plist.

The plist is located at: \private\var\mobile\Library\Preferences\

Once you have located the plist, you will want to analyze the LocationServicesEnabledIn8.0 key which will have a True or False value.

  • True value means Location Services is turned ON

  • False value means Location Services is turned OFF

You will also want to analyze the LastSystemVersion key. This key will list the last/current iOS version, in this case it was iPhone OS14.4.2/18D70.

In Figure 2, Location Services is ON. We can see the com.apple.locationd.plist, the keys previously mentioned and their values. Figure 2.1 is a look at the plist from iOS 15.0.

A screenshot of a computer Description automatically generated

Figure 2

Figure 2.1 iOS 15

In Figure 3, Location Services is OFF. We can see the com.apple.locationd.plist, the keys previously mentioned and their values.

Graphical user interface, text, application, Word Description automatically generated

Figure 3

Privacy > Location Services:

After determining Location Services was ON, we will review some of the applications using location services. Clicking on the Location Services button within the Privacy menu will bring us to a menu pictured in Figure 4. The applications listed are those using Location Services and a brief glimpse into the application settings. Notice in Figure 5, the applications pictured are all set to While Using the App. Let’s begin analyzing the Maps application.

A screenshot of a phone Description automatically generated with medium confidence

Figure 4

When we click on the Maps application, we are presented with a new set of Location Services settings, seen in Figure 5. The settings for Maps are set to Allow Location Access While Using the App and Precise Location is ON.

Graphical user interface, text Description automatically generated

Figure 5

Note: Please read through the resources for additional details about the differences when Precise Location is ON or OFF. When it is OFF it is also known as Reduced Accuracy.

We are going to review the plist that contains the Apple Maps Location Services settings to determine what was set when the device data was acquired. The plist of interest is the clients.plist. This plist is located at: \private\var\root\Library\Caches\locationd\.

The clients.plist contains the settings for applications and system services using location services. During this section, we will be focusing on the application settings for location services. In Figure 6, we have highlighted two applications, Apple Maps – com.apple.Maps and Apple Calendar – com.apple.mobilecal.

A screenshot of a computer Description automatically generated with medium confidence

Figure 6

After reviewing the Apple Maps (com.apple.Maps) settings, seen in Figure 7, we can see the Maps application is set to Never Allow Location Access. Notice there is not an option to change between Precise Location or Reduced Accuracy.

Figure 7

Within the clients.plist, you will want to find the application you wish to analyze. During testing, ArtEx and Mushy were used to view the plist. To view the keys listed under the application, we have to click on the applications, in this instance that was com.apple.Maps. Depending on your plist viewing tool, you should expand the keys belonging to the application you are analyzing. The keys you will want to analyze are Authorization and CorrectiveCompensationEnabled, seen in Figure 8.

The Authorization key is the setting for Allow Location Access. During testing, two key values were encountered. There were also some instances where the Authorization key was missing or hidden:

  • 1 = Never

  • 2 = While Using the App

  • When the Authorization key is missing/hidden = Ask Next Time

Note: The Weather application had two settings that appeared to be similar. The two settings were While Using the App and While Using the App or Widgets. Both settings had a value of 2 in the plist during testing.

The other key we want to analyze is the CorrectiveCompensationEnabled key, which is the setting for Precise Location. During testing, two key values were encountered:

  • 1 = Precise Location is turned ON

  • 2 = Precise Location is turned OFF or not set.

Note: A value of 2 indicates Reduced Accuracy

Note: During testing there were occasions when both the Authorization key and the CorrectiveCompensationEnabled key were missing/hidden. In some instances, this was because the setting was never changed from the default setting. After changes were made to the settings, the keys would then be listed in the plist. There might be other factors that would cause the keys to be missing/hidden, but those could not be determine during testing. An example of this displayed in Figure 10.

Test 1 Device Settings as seen in Figure 7 and 8:

  • Never is selected

  • Precise Location is missing/hidden

clients.plist keys:

  • Authorization value 1

  • CorrectiveCompensationEnabled value 2

Graphical user interface, application, Word Description automatically generated

Figure 8

Test 2 Device Settings as seen in Figure 9 and 10:

  • Ask Next Time is selected

  • Precise Location was OFF

clients.plist keys:

  • Authorization was not listed

  • CorrectiveCompensationEnabled value 2

Graphical user interface, text, application Description automatically generated

Figure 9

Graphical user interface, application, Word Description automatically generated

Figure 10

Test 3 Device Settings as seen in Figure 11 and 12:

  • Ask Next Time is selected

  • Precise Location was ON

clients.plist keys:

  • Authorization missing/hidden

  • CorrectiveCompensationEnabled value 1

Graphical user interface, text, application Description automatically generated

Figure 11

Graphical user interface, text, application, Word Description automatically generated

Figure 12

Figure 12.1 iOS 15.0 Camera settings

Test 4 Device Settings as seen in Figure 13 and 14:

  • While Using the App selected

  • Precise Location was ON

clients.plist keys:

  • Authorization value 2

  • CorrectiveCompensationEnabled value 1

Graphical user interface, text, application Description automatically generated

Figure 13

Graphical user interface, application, Word Description automatically generated

Figure 14

Test 5 Device Settings:

At the end of testing, the Apple Maps Location Services settings were set as While Using the App and Precise Location was ON. In a final test, the setting was changed from While Using the App to Never. When the change was made the Precise Location toggle switch disappeared but was still in the ON position.

Based on previous testing, the Authorization value should have been 1 and the CorrectiveCompensationEnabled value should have been 2, but that was not the case. The Authorization value was 1, as expected, but the CorrectiveCompensationEnabled value was 1, indicating it was using Precise Location. Further testing was not completed to determine if the Precise Location was being used or not, just wanted to note this variation could appear in your data.  

Now that we have analyzed specific application Location Services, Let’s review what was discovered when testing the System Services settings.

A picture containing text Description automatically generated

Figure 15

Note: Please review, https://support.apple.com/en-us/HT207056, as it outlines some of the System Services.

Location Services > System Services:

In Location Services > System Services there is a list of items, seen in Figure 15. Notice all the services are turned ON. After the iPhone data was acquired, we were able to determine if items listed under System Services were turned ON or OFF. To do this, we must again view the clients.plist Authorization key. During testing, two key values were encountered:

  • 1 = OFF

  • 4 = ON

In Figure 16, highlighted is the Routing & Traffic system services button. Based on testing, the Routing & Traffic system services button controls the following services in the clients.plist:

  • com.apple.locationd.bundle-/System/Library/LocationBundles/Traffic.bundle

  • com.apple.locationd.bundle-/System/Library/LocationBundles/AltimeterHarvest.bundle

  • com.apple.locationd.bundle-/System/Library/LocationBundles/IonosphereHarvest.bundle

  • com.apple.locationd.bundle-/System/Library/LocationBundles/TraceHarvest.bundle

Figure 16

In Figure 17, a screenshot of the clients.plist is opened in Mushy. Notice the com.apple.locationd.bundle-/System/Library/LocationBundles/Traffic.bundle service is expanded and has an Authorization key value of 4, meaning the setting is ON and a CorrectiveCompensationEnabled key value of 1, meaning Precise Location is ON.

Figure 17

When the Routing & Traffic setting is turned OFF, seen in Figure 18, the Authorization key in the clients.plist changed from a value of 4 (ON) to a value of 1 (OFF), see Figure 18 and Figure 19:

Figure 18

Figure 19

During testing, we were able to identify and match up most of the items listed under System Services to their counterpart listed in the clients.plist, as seen in Figure 20. Notice there are some ON/OFF switches that control multiple System Services.

Location Services > System Services Menu

clients.plist

Apple Pay Merchant Identification

com.apple.locationd.bundle-/System/Library/LocationBundles/PassbookMerchantLookup.bundle

Cell Network Search

com.apple.locationd.bundle-/System/Library/Frameworks/CoreTelephony.framework

Compass Calibration

com.apple.locationd.bundle-/System/Library/LocationBundles/CompassCalibration.bundle

Device Management

com.apple.locationd.bundle-/System/Library/PrivateFrameworks/DeviceManagement.framework

Emergency Calls & SOS

com.apple.locationd.bundle-/System/Library/LocationBundles/Emergency SOS.bundle

Find My iPhone

com.apple.locationd.bundle-/System/Library/PrivateFrameworks/FindMyDevice.framework

HomeKit

com.apple.locationd.bundle-/System/Library/PrivateFrameworks/HomeKitDaemon.framework

Location-Based Alerts

com.apple.locationd.bundle-/System/Library/LocationBundles/MapsAnnouncements.bundle

Location-Based Alerts

com.apple.locationd.bundle-/System/Library/LocationBundles/NavdLocationBundleiOS.bundle

Location-Based Alerts

com.apple.locationd.bundle-/System/Library/LocationBundles/RemindersAlerts.bundle

Location-Based Alerts

com.apple.locationd.bundle-/System/Library/LocationBundles/CalendarLocation.bundle

Location-Based Alerts

com.apple.locationd.bundle-/System/Library/PrivateFrameworks/BulletinBoard.framework

Location-Based Alerts

com.apple.locationd.bundle-/System/Library/LocationBundles/Wea.bundle

Location-Based Alerts

com.apple.locationd.bundle-/System/Library/LocationBundles/ShortcutsLocation.bundle

Location-Based Alerts

com.apple.locationd.bundle-/System/Library/LocationBundles/CarPlayHomeLocation.bundle

Location-Based Alerts

com.apple.locationd.bundle-/System/Library/LocationBundles/AppSuggestions.bundle

Location-Based Alerts

com.apple.locationd.bundle-/System/Library/LocationBundles/PassbookRelevancy.bundle

Location-Based Alerts

com.apple.locationd.bundle-/System/Library/LocationBundles/DestinationdLocationBundleiOS.bundle

Location-Based Suggestions

com.apple.locationd.bundle-/System/Library/PrivateFrameworks/CoreParsec.framework

Motion Calibration & Distance

com.apple.locationd.bundle-/System/Library/LocationBundles/MotionCalibration.bundle

Networking & Wireless

com.apple.locationd.bundle-/System/Library/PrivateFrameworks/MobileWiFi.framework

Networking & Wireless

com.apple.locationd.bundle-/System/Library/LocationBundles/UWBRegulatory.bundle

Setting Time Zone

com.apple.locationd.bundle-/System/Library/LocationBundles/TimeZone.bundle

Share My Location

com.apple.locationd.bundle-/System/Library/PrivateFrameworks/FMF.framework

System Customization

com.apple.locationd.bundle-/System/Library/LocationBundles/SystemCustomization.bundle

System Customization

com.apple.locationd.bundle-/System/Library/PrivateFrameworks/ChronoCore.framework

Significant Locations

com.apple.locationd.bundle-/System/Library/LocationBundles/Routine.bundle

Product Improvement

clients.plist

iPhone Analytics

com.apple.locationd.bundle-/System/Library/PrivateFrameworks/WirelessDiagnostics.framework

Popular Near Me

com.apple.locationd.bundle-/System/Library/LocationBundles/AppGenius.bundle

Routing & Traffic

com.apple.locationd.bundle-/System/Library/LocationBundles/Traffic.bundle

Routing & Traffic

com.apple.locationd.bundle-/System/Library/LocationBundles/AltimeterHarvest.bundle

Routing & Traffic

com.apple.locationd.bundle-/System/Library/LocationBundles/IonosphereHarvest.bundle

Routing & Traffic

com.apple.locationd.bundle-/System/Library/LocationBundles/TraceHarvest.bundle

Improve Maps

Could not identify

Status Bar Icon

Could not identify

Other Settings

clients.plist

Exposure Notifications - COVID-19

com.apple.locationd.bundle-/System/Library/LocationBundles/ExposureNotificationBundle.bundle

Phone Wi-Fi Calling

com.apple.locationd.bundle-/System/Library/LocationBundles/WifiCalling.bundle

Wallet App in Location Services Menu

com.apple.locationd.bundle-/System/Library/PrivateFrameworks/PassKitCore.framework

App Clips in Location Services Menu

com.apple.locationd.bundle-/System/Library/LocationBundles/ClipServicesLocation.bundle

Siri & Dictation

com.apple.locationd.bundle-/System/Library/PrivateFrameworks/AssistantServices.framework

Note: Some of the items listed in the clients.plist are not listed in System Services menu, they are however listed elsewhere in the general settings menu. Some examples of these settings might be the Do Not Disturb setting, Wi-Fi Calling setting and Exposure Notification setting, just to name a few. Additional Note, in iOS 14.8 Wi-Fi Calling was listed in the System Services menu. iOS 15.0 update – most of these were also listed in iOS 15.0 clients.plist along with a few new ones.

After the bulk of this was written, Ian Whiffin, discovered several other key artifacts, namely in cases where location related applications are launched the first time, the user may be given the options of:

  • Allow Once

  • Allow while using

  • Don’t allow

The options for Allow while using and Don’t allow were covered above. But the option of Allow Once wasn’t.

The clients.plist shows a TemporaryAuthorization which can be seen in key 5 below.

Crucially, when the application closes, this node is deleted altogether. This means that the user may have allowed locations temporarily, even though the plist file will not reflect this.

Furthermore, some applications also have an option to Always Allow which means it will and work even if the app isn’t in use. These applications are given the authorization 4, just like system services.

We put together a quick look-up table to help you if required

clients.plist value

Temporary
Authorization

Authorization

Corrective
Compensation
Enabled

Ask Next Time
(Precision either ON by default or previously set to ON)

1

Ask Next Time
(Precision previously set to OFF)

2

Allow Once used with Precise location enabled

1

1

Allow Once used with Precise location disabled

1

2

Do Not Use / Never
(Precision either ON by default or previously set to ON)

1

1

Do Not Use / Never
(Precision previously set to OFF)

1

2

Allow While Using with Precise location enabled

2

1

Allow While Using with Precise location disabled

2

2

Always Allow with Precise location enabled

4

1

Always Allow with Precise location disabled

4

2

Conclusion:

We are sure you will find other applications and services that have not been discussed, but we hope this will at least assist you with determining if Location Services is ON or OFF and what System Services might be ON or OFF when the device data was acquired. Knowing these settings might be able to assist you when analyzing iPhone locations and determining why you might have highly accurate device locations and/or less than accurate device locations.

Resources:

June 5, 2018, Vladimir Katalov

December 23, 2018, Sarah Edwards

July 18, 2019, Krista Merry and Pete Bettinger

June 25, 2020, Ryan NHP

July 18, 2020, Ian Whiffin

December 10, 2020, Bryan Ambrose

December 21, 2020 Ian Whiffin

March 26, 2021, Ian Whiffin

December 2, 2021 Cellebrite Staff iOS Locations

Apple Developer Website

DFIR Review

This is a very relevant topic for mobile forensics as understanding location settings is important in a variety of different cases. This paper is well written and the testing is thorough. The authors provided ample screenshots to allow readers to follow along and understand the keys being discussed. Reviewers were able to confirm some of the authors’ findings with their own testing.

One of the reviewers suggested that it would have been helpful if the author detailed what changed and what remained the same since Sarah Edwards’ work.

The authors mention “Precise Location” but do not detail the version of iOS where this feature because available.

There was some confusion as to which devices were used for testing. In the “Test Devices” section, there are 2 devices listed: Apple iPhone 6s Plus and Apple iPhone Xs. Then, under iOS 15 Update, there is an iPhone 13 Pro listed. The screenshots seem to reflect the iPhone 6s Plus. This could be better clarified.

The "CorrectiveCompensationEnabled" key in the clients.plist file is not reliable. This information is not always present even if Precise Location is turned ON. On the reviewer’s iPhone 6s, this key is always present even if this setting is never displayed on the device, regardless of "Allow location access".

Reviewers found that one of the tools used (Mushy) was not listed in the Tools section.

Future Work

Do the contents of client.plist change if location services are turned off after they have been on (i.e. are all application and service subkeys "reset" to values corresponding to no location access)?

A potential area for future research work is to determine if the authorization key is recoverable or how one can possibly determine if "Allow Once" was temporarily authorized for an app if analyzing a phone after the app is closed or days later.

Future work on this topic could include additional mapping of the remaining client.plist keys to applications/services as well as more research into various timestamps present in subkeys.

There is another plist in the same directory as the com.apple.locationd.plist titled com.apple.locationd.StatusBarIconManager.plist that contains a subkey titled ShowSystemServices. This may correspond to the Status Bar Icon that did not have a corresponding key in client.plist, but additional testing would be required for verification.

Reviewers

Amanda Chung (Methodology Review)

Arica Kulm (Methodology Review, Validated Review Using Reviewer Generated Datasets)

Selena Ley (Methodology Review, Validated Review Using Reviewer Generated Datasets)

Johann Polewczyk (Methodology Review, Validated Review Using Reviewer Generated Datasets)

Linda Shou (Methodology Review, Validated Review Using Reviewer Generated Datasets)

Hannes Spichiger (Methodology Review)

Comments
0
comment

No comments here

Why not start the discussion?