A security loophole on smartphones could be used to track users without their consent

Researchers from Boston’s Northeastern University have developed a mobile app for Android that, once installed, can send information regarding the users’ location without their consent. The app does not require permissions to access GPS or Wi-Fi information, and instead infers the location indirectly by accessing other built-in sensors that can be used without explicit consent. These sensors include the accelerometer, which detects the orientation in which the mobile phone is being held, the gyroscope, which measures the rotation of the device, and the magnetometer, which acts as an inner compass.

By using the information provided by these sensors, the researchers show that this type of malicious software could be used to detect where a person lives, which route they take to work and even if the person normally carries the phone in the pocket, where is relatively stable, or in a purse, where it swings.

The app was tested virtually, simulating driving routes in 11 cities with different populations and road densities, but also in a real setting, in which four people were asked to drive around the area of Boston with the app installed on their phones. Using the information sent by the app, the researchers were able to calculate 10 possible routes. The probability that the real route was one of the 10 shortlisted, was higher than 50% in the virtual setting and around 30% in the real setting.

But location is just a part of the story. As Guevara Noubir, one of the authors of the research, warns:

Additional information can then be gleaned by searching town and city public data­bases for, say, property tax records. Adversaries can recover lots of details through these side channels.

Although the research was made on Android, a similar loophole is likely to be present on iPhones, as their operating system also does not limit access to the sensors the app uses to infer the location. The finding highlights the need to increase privacy protection in smartphones and to address security loopholes that could be exploited by malicious programs.

Good privacy practices

While the app described here can track even a careful user, the truth is that most users give away a huge amount of personal information without their knowledge.

One of the reasons is that many permissions that we grant to the apps we install are buried in terms-of-use agreements that few people read. According to a recent survey, some terms-of-use are as long as 30,000 words and more than 70% of people admit not reading them all and only 17% say that they understand them. Therefore, a careful inspection of the apps we use can substantially reduce risks. Noubir advices:

You should not install apps that are not familiar to you—ones that you have not inves­ti­gated. And be sure that your apps are not still run­ning in the back­ground when you’re not using them.

He also recommends uninstalling apps that you do not use frequently.

Another important security breach is that default settings in most smartphones are rather permissive. For example, Google’s services embedded in Android operating systems by default upload your passwords to Google servers, track your browsing habits to send you tailored advertising, and keep a record of the places you’ve been to, based on the information provided by the GPS. Devoting five minutes to change some of these settings can have a great impact on our privacy.

But collecting information from users is not something just Google does: every other Internet giant, including Apple, Facebook and Microsoft, use similar practices. As more and more information is available on-line, being aware of the terms-of-use that we sign and the settings in our apps and accounts is becoming increasingly important, even if we have nothing to hide.

Get involved!

Sign the petition to stop government plans to snoop on your internet history

Featured image via Flickr/Doug Belshaw