Feeds

Google sued over – yes – Android location tracking

Like Apple. But not like Apple

SANS - Survey on application security programs

Google has been sued over its Android location tracking practices, days after a similar suit was brought against Apple.

According to The Detroit News, two Michigan women have filled a $50 million class-action suit against the web giant, demanding that the company stop offering Android phones that can track a user's location.

Google is using Android phones to build a database of cell towers and Wi-Fi networks that can then be tapped by phone applications to pinpoint the location of a given device. The company also makes use of GPS, but in pairing cell tower and WiFi data in tandem with GPS, it can better pinpoint your location – and possibly pinpoint it faster.

At one point, Google was using its fleet of photo-snapping Street View cars to collect cell tower and WiFi information, but after admitting that the cars were also grabbing payload data sent across Wi-Fi networks, the company said it would build the database using Android phones only.

If Android location services are turned on, the OS sends Google a MAC addresses, network signal strength, and GPS coordinates for each Wi-Fi network, as well as a unique identifier for the phone that grabs the information and the time of day, independent security researcher Samy Kamkar tells The Register. Google says that Android location services use an "opt-in" setup and that location data sent back to the company is "anonymized". But Kamkar has shown that the company does indeed grab a unique identifier for each phone.

By combining the identifier with the location data, Kamkar said, Google could easily determine where you work and where you live. If this location information and unique IDs remain on Google's servers, it could potentially be extracted via subpoena or national security letter.

Skyhook, the Boston-based company that pioneered this sort of location tracking, does not capture a unique phone ID in the way Google does, according to Skyhook CEO Ted Morgan. And there's no evidence that Apple's locations services grab such an identifier either, though Apple has not specifically discussed this. Kamkar tells us that Apple only collects cell tower and WiFi information.

To quickly determine a user's location, Apple and Skyhook cache a portion of their location databases on phones. "A small localized cache on the device is very helpful for speed," Morgan tells The Register. "Rather than having to keep going back to the server, you keep a small subset of the reference data locally so that while you are within a 10 block area it just uses the local file until you move farther away...[This is] for speed and for not having to rely on a flakey cellphone network connection."

Apple says something similar. "The entire crowd-sourced database is too big to store on an iPhone, so we download an appropriate subset (cache) onto each iPhone," the company explains. "The location data...on the iPhone is not the past or present location of the iPhone, but rather the locations of Wi-Fi hotspots and cell towers surrounding the iPhone’s location."

Presumably, Google is doing the same thing. Researchers have shown that Google keeps a similar database on Android phones, but this has a limited number of entries.

Skyhook sets a limit on the size of its cache and will replace cache data as you move from place to place. But Apple's cache may save data related to places you visited more than a year ago or more, according to the company. Apple has said, however, that this is a bug, and that in future versions of iOS, it will only retain data on the iPhone related to your whereabouts within the past seven days or so. "The reason the iPhone stores so much data is a bug we uncovered and plan to fix shortly," Apple says. "We don’t think the iPhone needs to store more than seven days of this data."

Apple continues to keep this cache file on the phone even when iPhone location services are turned off, but the company says this too is a bug that will be changed. According to Kamkar, Apple also continues to send cell tower and Wifi data back to its servers when location services are turned off. This is not the case with Google. When Android location services are turned off, Google stops sending data back to its servers.

Last week, independent researchers publicly discussed Apple's cache file, and this led to a firestorm of media coverage. Then Kamkar discussed his experiences with Google's location tracking services. Apple was sued on Monday, and now, inevitably, Google has been sued as well.

Yesterday, Apple responded to the firestorm with an FAQ on its website, saying it intends to change the way its cache works. The cache has long been used by law enforcement to determine the past whereabouts of phone owners. Skyhook says that its cache is encrypted so that it can't be read.

Skyhook once provided location services for the iPhone, and it was slated to provide services for Android. But both Apple and Google decided to handle the technology themselves. Skyhook is suing Google, claiming the web giant strong-armed its Android partners into dropping Skyhook in favor of Google location services.

According to one suit filed by Skyhook, Andy Rubin – the man who oversees Google's Android project – told Motorola co-CEO Sanjay Jha that if the handset manufacturer didn't drop Skyhook, Google would remove official Android support from the devices. This would mean that Motorola could not use proprietary Google services such as the Android Market or even the Android name. ®

Update: This story has been updated to show that Skyhook does not deleted its database cache on phones, but that it puts a limit on the size of this cache. The company originally told us it deleted the cache. We have also pointed out that Skyhook encrypts its cache.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.