I really really suck at taking a step back and writing about things that I have done, so I want to try to pump out more tiny snippets like this one just documenting fun little things I stumble across that I can casually write about.
Enabling private logging is a pathway to many abilities some consider to be... unnatural.
routined is a macOS process responsible for tracking and identifying patterns in the user's frequented locations in order to predict future visits and better support location-dependent services. However, this added convenience comes at the cost of privacy.
When looking through some logs, I stumbled across a curious entry under the routined process. This log entry contained scarily accurate information about a recently visited location–including its name, location, coordinates, time recorded, along with other details. Digging deeper on my device, I was greeted with an accurate recollection of my recently visited destinations, including home addresses, restaurant names, my work address, etc. Initially, I thought this information was simply synced over from my iPhone, which was signed in to the same iCloud account. I have a terrible sense of direction and couldn't find my way home from down the street without a GPS, so it was not alarming to me that my visits could be accurately pieced together through my Maps trips. However, when running the same search on my work macOS device, I received a different, albiet similarly accurate list of destinations. Though I never signed in to my personal iCloud account on this device, I was using a test iCloud account which was also linked to a test iOS device. To rule out all factors, I threw a simple script together and chucked it over to my roommate, who also ran it on his work laptop. Only this time, his laptop was not associated with any iCloud account and was basically never used outside of work and our apartment. We had went to a local fast food spot for dinner the night before, which the logs did a good job reminding me about. The catch? His work laptop never left the backpack in his car. It seemed our devices were able to track our locations without being actively in use or connected to a network.
At this point, I decided to look around for more resources on routined, where I stumbled upon this blog by macOS forensics legend, Sarah Edwards. In this blog, she describes a similar experience with the routined service on her phone. However, in her case, she was parsing the various location-related databases stored on iPhones. In my case, I was able to retrieve information of a similar accuracy, though with less frequency, from simply streaming logs from my laptop.
You can try it out with the following predicate on a macOS device with private logging enabled (you can refer to my blog here on how to enable private logging - Enabling private logging)
log show --predicate 'process=="routined" and subsystem=="com.apple.CoreRoutine" and category=="LEARNED LOCATION" and eventMessage contains[c] "identifier"'
If the device is logged in to an iCloud account shared with an iPhone, all of that phone's locations will be synced to the macOS device and accessible through logs as well. The source of these logs can be determined through the DeviceIdentifier ID.
Of course, this is achievable only when private logging is enabled on the device (which should be done with caution). Still another very interesting and fun surprise learning about the power of unified logs and what they can reveal.