Turning off your GPS wont prevent smartphone apps from tracking you.
I was recently interviewed for an article on this very topic by Sophoss award-winning threat news room, Naked Security. The article discusses an app researchers developed to show how precisely smartphone users can be tracked even when their GPS is turned off. The app collects unprotected (or loosely protected) sensory data stored on smartphones to pinpoint the users location. It can even determine what the user is doing walking, driving a car, riding in a train or on an airplane.
The app knows the time zone youre in based on the information your phone has provided to it, the article states. It then accesses information from your barometer and magnetometer and compares it to information from publicly available maps and weather reports. After that, it keeps track of the turns you make. With each turn, the possible locations whittle down until it pinpoints exactly where you are.
During a test run in Philadelphia, the researchers said it took only 12 turns for the app to know exactly where the car was.
What are the security concerns of these findings?
Aside from the very obvious concerns for people in sensitive situations, such as victims of domestic abuse, celebrities, politicians, and individuals with high-stakes professions, being trackable through smartphone data opens the door to a host of other security concerns.
Most apps are created without meaningful security and privacy controls built in. And, most apps are collecting, storing and sharing all the data possible from the devices upon which they are loaded. That means an app is not only accessing data from its users device; it may also be combining that data with other data sets to clarify information about the user. This is made fairly simple through the use of increasingly more powerful big data analytics and artificial intelligence.
This is what makes so many of the comparatively few privacy notices provided by app vendors and device manufacturers so misleading: They may be correct in saying they are not collecting explicitly named data items from a user. But they almost always are combining what they do collect with other data sets to then establish very detailed insights into a users life, activities, locations, likes and dislikes and more.
How should these security concerns be addressed?
There are a number of ways smartphone users, app creators, smart device engineers/manufacturers and lawmakers can and should address these quickly growing privacy issues.
- Remove all apps not in use. These apps are likely continuing to collect and share data from the device.
- Periodically shut down and clear out cache/memory and delete unnecessary files from the device. These can be valuable sources of data to a wide range of entities of which you may not even be aware.
- Fully address information security and privacy by building meaningful and effective security and privacy controls into apps.
- Truly give the end-users control over the data collected from them and how it is shared.
Smart device engineers and manufacturers
- Provide end-users with ways to easily identify data and apps on their devices and the ability to completely remove them.
- Build strong, easy to understand (and use!) security and privacy settings that are turned on by default.
- Establish regulations requiring app creators and device manufacturers to provide meaningful and effective security and privacy controls and information.
- Restrict the use of data collected by apps and devices.
While accomplishing all of this may seem like an overwhelming task, the first step is raising awareness of the issues at hand. And thats precisely what I hope this blog post did for you.