Researchers find that Android apps can secretly track users' whereabouts

Researchers find that Android apps can secretly track users’ whereabouts
New research led by Northeastern professor Guevara Noubir reveals that some Android apps may automatically transmit sensitive information, such as the routes you travel, through the phone’s built-in sensors. A malicious developer, he says, “can infer where you live, where you’ve been, where you are going.” Credit: Younghee Jang/Northeastern University

Three years ago, the Federal Trade Commission dimmed hopes for the Brightest Flashlight app for Android, slapping its developer with charges of consumer deception. Why? The app was transmitting users' locations and device IDs to third parties without telling the users or getting their permission.

Permissions, though, are only a small part of the Android-app privacy story. New research from Northeastern's Guevara Noubir and colleagues shows that Android apps can be manipulated to reach inside your mobile phone to track your whereabouts and traffic patterns, all without your knowledge or consent.

The researchers know this because they built an Android app and tested it.

Their system uses an algorithm that inserts data from the phone's built-in sensors into graphs of the world's roads. The researchers applied the algorithm to various simulated and real roadtrips. For each trip, the system then generated the five most likely paths taken. The most recent results? A 50 percent chance that the actual path traveled was one of the five.

"For $25, anyone can put an app on Google Play, the store for Android apps," says Noubir, professor in the College of Computer and Information Science. "Some of them may be malicious—no one is screening them."

How it works

If an Android app wants to access sensitive user information, such as location, it must let the user know. But often permission for such access is buried in terms-of-use agreements—the small print that many users don't read—or comes up not when the app is downloaded but later, unbeknownst to the user, when access for that information kicks into gear.

Android apps present further privacy risks because they automatically have access to key sensors inside the phone that detect the device's location, movements, and orientation. Together these sensors can provide clues to everything from the route you take to work to whether you carry your phone in your pocket (the phone is relatively stable) or your purse (it swings).

"In our research we show that an app in fact does not need your GPS or Wi-Fi to track you," says Noubir. "Just using these sensors, which do not require permissions, we can infer where you live, where you have been, where you are going."

The tests

To gauge the effectiveness of the system, the researchers conducted two types of tests.

They simulated drives in 11 cities around the world including Berlin, London, Rome, Boston, and Atlanta. They also got behind the wheel themselves, driving for 1,000 kilometers over more than 70 different routes in Boston and Waltham, Massachusetts. In both tests they collected scores of measurements derived from the phones' changing positions, including the angles of turns and the trajectory of curves.

Their most current results surpassed those initially published in the proceedings of the 2016 IEEE Symposium on Security and Privacy: A 50 percent chance that the actual path traveled was one of 10 generated.

"Inferring a driving pattern from an Android app can lead to much greater invasions of privacy, such as where the user lives and works," says Noubir. Additional information, he warns, can then be gleaned by searching town and city public databases for, say, property tax records. "Adversaries can recover lots of details through these side channels."

Protecting yourself

What's an Android user to do short of forgoing apps altogether?

For starters, do your homework, says Noubir. "You should not install apps that are not familiar to you—ones that you have not investigated," he says. "Be sure that your apps are not still running in the background when you're not using them."

He also advises uninstalling apps that you don't use frequently. "Why keep apps that can access your sensors if you don't use those apps seriously?" he asks.


Explore further

Detecting and blocking leaky Android apps

More information: Inferring User Routes and Locations using Zero-Permission Mobile Sensors. DOI: 10.1109/SP.2016.31
Citation: Researchers find that Android apps can secretly track users' whereabouts (2016, August 8) retrieved 16 June 2019 from https://phys.org/news/2016-08-android-apps-secretly-track-users.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.
731 shares

Feedback to editors

User comments

Aug 08, 2016
There should be some sort of "certified" seal of approval on apps, and that way it can be something layman users could look for to make their app choices easier. And obviously not all apps would be certified, but if a user wanted a flashlight app or something they could pick one that has been certified. Its just the whole *free thing means that to make money, you almost have to do something fishy if your app is free, whether it be Ads, information tracking, etc. Nothing is free.

Aug 08, 2016
I really don't care.
I only go to the store 2 blocks away, the library next door and the local bar 1 block away.
Pretty boring.

Aug 08, 2016
I really don't care.
I only go to the store 2 blocks away, the library next door and the local bar 1 block away.
Pretty boring.


You should care. With this kind of default unfiltered access to the sensors on your phone, It would be trivial to find out where you live, monitor your schedule, determine when you're most likely to be at that local bar you like, and then ransack your house when you're not there.

If that doesn't bother you, then alright. It does bother a lot of other people. It's not a trivial concern. Imagine someone using this trick to sneak a hidden camera into your bedroom when you're not around. Or your children's bedrooms. It's alarming, to say the least.

Aug 08, 2016
Who needs a hidden camera? Most apps want access to your camera and some even your microphone or speaker (which can be used as a microphone). We all carry a potential bugging device with us wherever we go. Welcome to the 21st century! Just wait until the internet of things ramps up to full steam!

Aug 09, 2016
Who needs a hidden camera? Most apps want access to your camera and some even your microphone or speaker (which can be used as a microphone). We all carry a potential bugging device with us wherever we go. Welcome to the 21st century! Just wait until the internet of things ramps up to full steam!


Wonder how long it'll take for someone to blow up a house that has an internet connected furnace?

Open gas valve? Check.
Wait for a few hours? Check.
Toggle pilot light? Check.

They could even get a decent video of the flaming aftermath if they had an internet connected camera with the default username and password, as so many do.

Some people just want to watch the world, and your house burn.

Aug 09, 2016
I really would like to know how an Android app can determine MY whereabouts. Seems like it'd only be possible to detect where the device the app is running on is, which is quite often not where I am. Then figure that I spend a lot of time where there is no cell or WiFi signal, so that even if I have the device with me, it can't transmit, and can collect info only if it's turned on.

Now if you're so tech-dependent that you have to carry an active device with you 24/7, you might have problems. But not everyone is like that.

Aug 13, 2016
Let me get this straight. Android was developed by Google. Google shamelessly snoops on everything you do. They push their apps at you as often as they can, ever notice Google's Chrome installed when you didn't expect it? That's Google for you. Sneaky and always looking for information. As with most/all apps on smartphones, they all want complete access to your phone hardware and all the data in the phone and in the "cloud". You backup stuff to Google's cloud and now they have complete access to everything, pictures, docs, texts and whatever else crosses their mind. I use Google for searches but that's it. No Google+, no Google cloud backup, nothing. They are information pigs and want it all. Use Android at your peril.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more