Analyzing Life360 on iOS

Posted by

Life360 is the sell proclaimed "#1 family locator app". If they're not selling your location data (who am I to judge), they sure are leaving it all out there when looking at it from a forensic perspective. With any app that is constantly storing and pinging back location information it is bound to have a treasure trove of pinpoints to look at.

From a full file system extraction we can find the folder of interest at:

private\var\mobile\Containers\Shared\AppGroup\<GUID>\MainApplication\Logs

Inside are a bunch of .log files from various days and times of when the app was used. There could be multiples for a single it would appear. While there is a lot of potentially useful information in these logs one line really jumped out to me.

Location Caches

If you do a search or filter for any line items that contain "X-UserContext header set" we get some thorough location latitude and longitude coordinates along with some information about the local device itself. These lines contain embedded JSON content that isn't too complex to figure out what fields mean.

Figure 1: Sample embedded JSON in logs

The above is formatted into a tree structure but we see we get 4 distinct categories of data:
  • flags - some minor flag details, doesn't seem like too much of interest
  • device - details about the device including battery status and the activity type happening
  • geolocation - the meat, location data including latitude, longitude, altitude, and much more
  • geolocation_meta - more minor details, may include SSID's of wifi points?!
Python can make quick work of pulling out relevant details with some small interpretations but overall it's pretty straight forward. 

Figure 2: iLEAPP Report Life360 locations

Chat Messages & Members

Chat messages live in the database at the path:

private\var\mobile\Containers\Data\Application\<GUID>\Library\Application Support\Messaging.sqlite*

Tables of interest include:
  • ZCHATCIRCLE - basic information about the "groups" which they call Circles
  • ZCHATMEMBER - names and details about the people from chats (including the local user)
  • ZCHATMESSAGE - the meat of the chat messages
  • ZCHATMESSAGELOCATION - if location information is shared in chat, the lat/long will live here
Once again with some quick SQLite queries and some table joins we can create a picture of chat messages and details about the members.

Figure 3: Chat messages from Life360 in iLEAPP

Figure 4: Members from Life360 in iLEAPP

Much thanks to Heather for the sample data. Grab the latest code of iLEAPP now!