To provide security, all third-party iOS apps run in a sandboxed environment within the iOS file system and onboard memory. Apple made a large number of additional features available to developers in iOS 4, including expanded location capabilities and the ability for some tasks to run in the background. That meant that Apple needed to make location data accessible to a part of the file system that apps can access. John Gruber at Daring Fireball backs this view with what appears to be deeper knowledge of the situation.
Another possibility: Apple may be trying to capture information about the device or, perhaps, carrier performance -- the theory expressed by blogger Andy Ihnatko. Given the rap the iPhone got as a result of AT&T's network problems, I wouldn't discount the idea that Apple may have wanted firm data about how well its devices are actually working in the real world.
Why is it so vast?
Even absent malicious intent, why does an iPhone or 3G iPad store months and months of data -- and why is it carried over from one device to another as Allan and Warden discovered?
I agree with the consensus view on why iOS isn't purging older data -- it's probably a bug. Simply for performance and space reasons, it would make sense that a location cache be cleaned out periodically -- just as any cache file on any desktop or mobile platform should be cleaned out. The fact that data isn't being culled from the file means it likely got overlooked among other iOS engineering issues over the past year or two.
So why maintain the data across devices? That's easy: When you replace an iPhone or iPad, you're given the option of setting your shiny new one up using a backup from its predecessor. To do that, iTunes copies the existing backup to the device, including all your music, apps and preferences -- and apparently that consolidated.db file.
What now?
I strongly suspect that the next iOS update will secure this file and probably add automatic culling of older data. Whether Apple will explicitly say that in the release notes -- or even acknowledge the situation -- is unknown. Though with Congress asking questions, it seems likely that Apple will have to offer up some kind of response. Until then, I recommend you turn on the option to encrypt your iPhone/iPad backups in iTunes and be prepared to use Apple's Find My iPhone to remotely wipe the device if it gets lost or stolen.
If you've jailbroken your iPhone, there's already a tool available on Cydia that will automatically wipe consolidated.db on a continuous basis.
For IT professionals who support the iPhone and iPad, there are security policies you can enable using Apple's iPhone Configuration Utility or a third-party management console to remotely wipe a device after a set number of failed login attempts. Management consoles, like Exchange, can also initiate a remote wipe at any time as needed.
Ryan Faas is a freelance writer and technology consultant specializing in Mac and multiplatform network issues. He has been a Computerworld columnist since 2003 and is a frequent contributor to Peachpit.com. Faas is also the author of iPhone for Work (Apress 2009). You can find out more about him at RyanFaas.com and follow him on Twitter (@ryanfaas).