Boffins crack smartphone location tracking – even if you've turned off the GPS

Permission? Who needs it?

By Richard Chirgwin


Religiously turning off location services may not save you from having your smartphone tracked: a group of IEEE researchers have demonstrated it's possible to track mobes even when GPS and Wi-Fi are turned off.

And, as a kicker: at least some of this data can be collected without permission, because smartphone makers don't consider it sensitive.

The researchers from Princeton University (student Arsalan Mosenia, IEEE members Xiaoliang Dai and Prateek Mittal, and IEEE fellow Niraj Jha) tracked smartmobes using a technique dubbed PinMe, which combined information from the phone and non-phone sources to work out where a user is.

In their paper, out this week, they explain that PinMe works with “non-sensory/sensory data stored on the smartphone” (the first category includes timezone and network status; the second includes air pressure and heading), and when that's combined with “publicly available auxiliary information” like elevation maps, it's able to “estimate the user's location when all location services, eg GPS, are turned off.”

The combination of data sources, the paper says, yielded user tracking “comparable to GPS” on their iPhone 6, iPhone 6S and Galaxy S4 i9500 test devices.

The paper noted that while an attacker might try to sweep up such data using the well-trodden path of installing a malicious app (after all, user-snooping flashlight apps have been around for years), there are also public sources of data: fitness apps such as Strava.


Fitness apps "can, without arousing suspicion, collect and upload a significant amount of valuable non-sensory/sensory data, which can be post-processed to infer critical information about the user," the researchers wrote.

In the PinMe attack, the researchers went down the malicious app path, and as noted above, some of the information a smartphone can get doesn't need the user's permission. Timezone, device IP address and network status don't need permission; nor do the accelerometer, magnetometer (which measures the angle between the phone's heading and north), or barometer.

The public data PinMe uses includes OpenStreetMap, Google Maps' elevation data fetched through its API, OpenFlights (which maps 9,541 airports); they built a train heading database from Google Maps, and accessed public transport timetables (where possible, from their APIs).

As an example of how all this translates to getting a user's location: the IP address can be geolocated to provide a guess at a city; barometer data tells you if the user arrived on an aeroplane; if the user's heading doesn't change much, they're on a train; travel by car can be correlated to street map data; and so on.

In the cities in which the boffins ran their tests (Princeton and Trenton in the US state of New Jersey and Philadelphia in Pennsylvania), the correlation between heading changes and street maps yields a track that gets more accurate the further the trip – because the longer the drive, the fewer the possible paths the user might take.

Likewise, you don't need a GPS to work out which airport someone flew into: takeoff and landing times are public, you can grab elevation from the phone, so the "planeTracker" component in PinMe "was able to accurately and uniquely return both departure and destination airports for all four flight routes" in the test.

The paper suggests phone manufacturers give users the ability to shut down sensors, or put sensors into a privacy mode that limits their sampling rate and accuracy. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

EFF's Privacy Badger will block snooping ads and invisible trackers

Google-backed privacy org promises browser add-on will nix naughty snoopers

EFF looses Privacy Badger to munch cookies and scripts

Furry and furious browser-protector aims to improve online privacy

Pretending to be a badger wins Oxford Don 10 TRILLION DOLLARS

Volkswagen also scored one of last night's Ig Nobel Prizes, for software-defined chemistry

One solution to wreck privacy-hating websites: Flood them with bogus info using browser tools

Call for software to throw badly behaved biz in fake data tar pits

Comcast is the honey badger of ISPs – injects pop-ups into browsers, doesn't give a fsck

Nothing to see here. Move along

Watch out, Yahoo! EFF looses BADGER on sites that ignore Do Not Track

Browser plugin nudges companies toward compliance

Ghostery, uBlock lead the anti-track pack

Privacy Badger grazes on cookies, but DoNotTrack? Nobody cares

Fed up with Facebook data slurping? Firefox has a cunning plan

The Facebook Container add-on quarantines the social network to limit data harvesting

Sigfox cracks open IoT radio protocol specs for world+dog (+badgers?)

Low-power ultra-narrowband network for your street, ma'am?

Badger bloodbath brouhaha brings 'bodge' bumpkin bank burgle bluster

Not a black-and-white case