Researchers from Boston’s Northeastern University have developed a mobile app for Android that, once installed, can send information regarding the users’ location without their consent. The app does not require permissions to access GPS or Wi-Fi information, and instead infers the location indirectly by accessing other built-in sensors that can be used without explicit consent. These sensors include the accelerometer, which detects the orientation in which the mobile phone is being held, the gyroscope, which measures the rotation of the device, and the magnetometer, which acts as an inner compass.
By using the information provided by these sensors, the researchers show that this type of malicious software could be used to detect where a person lives, which route they take to work and even if the person normally carries the phone in the pocket, where is relatively stable, or in a purse, where it swings.
The app was tested virtually, simulating driving routes in 11 cities with different populations and road densities, but also in a real setting, in which four people were asked to drive around the area of Boston with the app installed on their phones. Using the information sent by the app, the researchers were able to calculate 10 possible routes. The probability that the real route was one of the 10 shortlisted, was higher than 50% in the virtual setting and around 30% in the real setting.
But location is just a part of the story. As Guevara Noubir, one of the authors of the research, warns:
Additional information can then be gleaned by searching town and city public databases for, say, property tax records. Adversaries can recover lots of details through these side channels.
Although the research was made on Android, a similar loophole is likely to be present on iPhones, as their operating system also does not limit access to the sensors the app uses to infer the location. The finding highlights the need to increase privacy protection in smartphones and to address security loopholes that could be exploited by malicious programs.
Good privacy practices
While the app described here can track even a careful user, the truth is that most users give away a huge amount of personal information without their knowledge.
One of the reasons is that many permissions that we grant to the apps we install are buried in terms-of-use agreements that few people read. According to a recent survey, some terms-of-use are as long as 30,000 words and more than 70% of people admit not reading them all and only 17% say that they understand them. Therefore, a careful inspection of the apps we use can substantially reduce risks. Noubir advices:
You should not install apps that are not familiar to you—ones that you have not investigated. And be sure that your apps are not still running in the background when you’re not using them.
He also recommends uninstalling apps that you do not use frequently.
Another important security breach is that default settings in most smartphones are rather permissive. For example, Google’s services embedded in Android operating systems by default upload your passwords to Google servers, track your browsing habits to send you tailored advertising, and keep a record of the places you’ve been to, based on the information provided by the GPS. Devoting five minutes to change some of these settings can have a great impact on our privacy.
But collecting information from users is not something just Google does: every other Internet giant, including Apple, Facebook and Microsoft, use similar practices. As more and more information is available on-line, being aware of the terms-of-use that we sign and the settings in our apps and accounts is becoming increasingly important, even if we have nothing to hide.
Sign the petition to stop government plans to snoop on your internet history
Featured image via Flickr/Doug Belshaw
We need your help to keep speaking the truth
Every story that you have come to us with; each injustice you have asked us to investigate; every campaign we have fought; each of your unheard voices we amplified; we do this for you. We are making a difference on your behalf.
Our fight is your fight. You’ve supported our collective struggle every time you gave us a like; and every time you shared our work across social media. Now we need you to support us with a monthly donation.
We have published nearly 2,000 articles and over 50 films in 2021. And we want to do this and more in 2022 but we don’t have enough money to go on at this pace. So, if you value our work and want us to continue then please join us and be part of The Canary family.
In return, you get:
* Advert free reading experience
* Quarterly group video call with the Editor-in-Chief
* Behind the scenes monthly e-newsletter
* 20% discount in our shop
Almost all of our spending goes to the people who make The Canary’s content. So your contribution directly supports our writers and enables us to continue to do what we do: speaking truth, powered by you. We have weathered many attempts to shut us down and silence our vital opposition to an increasingly fascist government and right-wing mainstream media.
With your help we can continue:
* Holding political and state power to account
* Advocating for the people the system marginalises
* Being a media outlet that upholds the highest standards
* Campaigning on the issues others won’t
* Putting your lives central to everything we do
We are a drop of truth in an ocean of deceit. But we can’t do this without your support. So please, can you help us continue the fight?