Researchers led by Northeastern University professor Guevara Noubir have discovered that some of your Android apps may automatically be communicating sensitive information, such as your travel routes, through your phone’s built-in sensors.
If you recall, three years ago the Brightest Flashlight app for Android was charged by the Federal Trade Commission for consumer deception since the app was relaying user location and device ID to third parties without letting users know or getting permission to do so.
The new research has revealed that other Android apps can be manipulated to reach inside your mobile phone to track your location and traffic patterns – all without your knowledge or consent.
How did they discover this? The researchers built their own Android app and tested it. Their system used an algorithm that inserts data from the phone’s sensors into graphs of the world’s roads. They then applied the algorithm to different siulated and real roadtrips. For each trip, the system generated the five most likely paths taken. Their most recent results found that there was a 50% chance that the actual path traveled was one of the five.
“Our research shows that an Android app does not need your GPS or Wi-Fi to track you. Just using its sensors, we can infer where you live, where you have been, where you are going,” said Noubir.
According to Noubir, this means that for just about $25, anyone can put an app on Google Play and some of them may be malicious since nobody is screening them.
If an Android app wants to access this kind of sensitive information, typically it must let the user know. However, permissions tend to be buried in terms-of-use agreements, which a lot of people don’t read, or skim over quickly.
Android apps can then have access to key sensors inside of the phone that detect the device’s location, movements, and orientation and these sensors can provide clues about routes you travel and even whether or not you keep your phone in your pocket or your purse (think: the phone is stable or it’s swinging).
“In our research we show that an app in fact does not need your GPS or Wi-Fi to track you,” said Noubir. “Just using these sensors, which do not require permissions, we can infer where you live, where you have been, where you are going.”
The researchers conducted two types of tests by simulating drives in 11 cities around the world, which included over 70 different routes. In both tests they collected scores of measurements which came from the phones’ changing positions, including the angles of turns and the trajectory of curves.
Their most current results surpassed their initial ones, which were published in the proceedings of the 2016 IEEE Symposium on Security and Privacy, showing a 50% chance that the actual path traveled was one of 10 generated.
“Inferring a driving pattern from an Android app can lead to much greater invasions of privacy, such as where the user lives and works,” said Noubir. “Adversaries can recover lots of details through these side channels.”
What can you do?
According to Noubir, for users to protect themselves, they should first be armed with knowledge. Do not download apps that you haven’t looked into or that are unfamiliar, he advises.
In addition, make sure that your apps are not running in the background when you’re not using them and un-install apps that you don’t use often to avoid having them access your sensors for no reason.