Boffins crack smartphone location tracking – even if you've turned off the GPS Religiously turning off location services may not save you from having your smartphone tracked: a group of IEEE researchers have demonstrated it's possible to track mobes even when GPS and Wi-Fi are turned off. And, as a kicker: at least some of this data can be collected without permission, because smartphone makers don't …
Which is
a) Quite clever
b) Very f**king scary
c) Only possible because of the clumsy security control on most phones. Phones IP address is not sensitive. WTF? I mean WTF?
And yes I think every service on a "smart" phone should be user level controllable regarding what apps can access it. If you want it to be available to "all" then fine, but the default should be "none."
Personally I'd prefer a "spoof" mode where apps that insist they can't run without access to your address book (why?) should be set to use the phones default app(s) which should then generate a limited amount of plausible BS.
Gosh, it's almost like if you let a piece of software collect lots of unnecessary data and then upload it to some random place on the Internet, that someone could use this against you in some way.
Seriously... fine-grained permission control. Why are air pressure and heading not protected by a permission? Because there's no "you must ask for permission" blanket default before a "you must grant permission" user-authorised exclusion when that data is requested.
And users are stupid and don't understand that a walking app doesn't need to know your air pressure.
Honestly, any combination of more than 2 or 3 permissions is a warning sign, and things like "requires Internet access" isn't fine-grained enough. MAKE APP MAKERS SPECIFY TARGET DOMAIN NAMES.
PC's are rapidly moving towards web-services contained within the browser DOM model on the local PC, apps are the equivalent of installing a Flash plugin. It's a backwards step.
Sorry, but you get the bare minimum of permissions to do the task at hand, the default should be "no" for everything, and users should be able to say "Pretend I've given it the permission, but just send it fake data" (e.g. The flashlight app wants webcam access? Sure. Send it some white noise.). But, to be honest, rather than propagate the Vista UAC debacle into every mobile phone on the planet, let's just stop making programs that require those permissions and refuse them at the app-store. Literally force the writers to publish something like an SELinux capability report, down to port numbers, domain names, and format of information sent, individual permissions for everything (there should be no "you need to ask for camera access to turn on the flashlight" as is/was common), which is then audited for necessity, and any warning that pops up EVER on any phone that it's breaching those capabilities result in its being blacklisted as an app.
Without it? You're in a blank sandbox filled with false info no matter what you request.
"And users are stupid and don't understand that a walking app doesn't need to know your air pressure."
If it's just a simple step counter app then OK, no need for any sensor access beyond the accelerometer. But if the app is trying not just to count steps but also estimate calories burned as a result, then knowing if those steps resulted in you gaining, losing or maintaining elevation means the resultant estimation will be somewhat less inaccurate than a simple "1 calorie = x steps" conversion.
Not that I disagree with the more general observation that users can and do completely ignore some utterly insane permission requests from apps, or that the current permissions model is a bit broken, but to suggest people are stupid if they allow an app to request a permission which isn't obviously out of scope for that type of app... bit harsh methinks.
The impression that I got from the article is that users are never ASKED to authorize sharing of barometric data because handset/app makers don't consider that personally identifiable information. Hell, they may not even specifically intend to collect it, but simply don't NOT collect it along with temperature and other environmental data.
So "clueless users" criticisms might be misdirected, in this case.
Or, am I missing something...?
"But if the app is trying not just to count steps but also estimate calories burned as a result, then knowing if those steps resulted in you gaining, losing or maintaining elevation means the resultant estimation will be somewhat less inaccurate than a simple "1 calorie = x steps" conversion."
Technically true, however it's also true that step counters are horribly inaccurate in actually counting steps. The error introduced by that has got to swamp out whatever error might be introduced by changes in air pressure.
Also, determining elevation by air pressure will only give a rough guess unless you have a way of comparing it to the air pressure at a known elevation in the same area.
"Also, determining elevation by air pressure will only give a rough guess unless you have a way of comparing it to the air pressure at a known elevation in the same area."
Nah, you just need to measure changes. Of course, things may appear a little different if there's a big pressure change due to weather while out walking.
> hen knowing if those steps resulted in you gaining, losing or maintaining elevation means the resultant estimation will be somewhat less inaccurate than a simple "1 calorie = x steps" conversion.
The app can calculate that locally from those inputs, but it doesn't need to send that raw data into the cloud.
I thought elevation was only provided by the GPS... Is that available without location permissions?
Even if it is, being a non-primary function of GPS, elevation is not really very accurate, which might be OK if you're tracking someone in the foothills of the Andes which dwarf the margin of error, but those is flatter areas are likely much harder to track...
If paranoid move to the Netherlands.
They use the barometer. Combine air pressure with known atmospheric pressure in the region you are in and you get a pretty good estimate of altitude. Worked for the aviation industry for many years before GPS.
I did mean to mention that, how common is a barometer in smartphones these days? I realise I'm not cutting edge, still happily using a 3 year old phone, but I certainly don't have one.
GPS elevation data is consistent, if not accurate, and therefore can be used for assumptions.
Agree that all sensor information should have permission, and frankly should be more prominent in advance of app installation. Why would a torch app need ANY sensor information, for example, its either ad related or malicious (fine line sometimes...)
data leakage of any kind is likely to result in some kind of matching data attack, although it is also likely that this will become a de-facto issue of having a smartphone at all. Organisations that you permit e.g. Strava can still have the TLA organisations tapping them on the shoulder or subverting their feeds regardless. Probably easier for them to simply open their own advertising shops though in a similar vein to creating their own TOR nodes...
Most people outside the reg forums don't really know what tinfoil is for, let alone making hats out of it and broadcast their every movement, purchase and bank balances to all and sundry.
If you really want to stay relatively hidden, the old phones are your friend, without all the clever sensors. (as well as being very cheap)
"Agree that all sensor information should have permission, and frankly should be more prominent in advance of app installation. Why would a torch app need ANY sensor information, for example, its either ad related or malicious (fine line sometimes...)"
There was the case, a few years ago, of the fine upstanding gentleman who murdered his wife and wanted to get rid of the body. This is Flori-duh, home to many lakes, rivers, streams, and canals inhabited by everyone's fav reptile, the American Alligator (as distinct from its cousins the Chinese Alligator and the American Crocodile; the Chinese 'gator lives in, well, China, while the American croc rarely ventures north of Miramar) and the nice, warm, welcoming, ocean has lots and lots and lots of assorted sharks and barracuda (the Flori-duh Tourist Board is now very upset with me). We're not quite up to Australia levels of wildlife hostility, but we're working on it. In any case, instead of just dropping the body into a convenient body of water, m'man decided to go out into the woods and dig a grave. At night. He turned on the flashlight app on his phone to shed some light on the process (why he needed light to dig a hole is another question...) and the flashlight app called home to Mama. When the cops investigated (those of us who watch Law&Order know that the first suspect is always the nearest and dearest) they called up the cellco and got pointers to go to the company which sold the flashlight app, who were only too happy to provide all kinds of data, including exact GPS readings on where the phone had been that night. This resulted in a little expedition into the woods, and a quickly located body.
Moral of the story: if you want to get rid of the wife, leave the phone at home when you do. Or feed her to the gators. Or, at least, don't turn on the flashlight app.
A "Flashlight" app that calls home and dumps your co-ordinates to a central server?
I'm thinking most of these apps should just be filed under the section of the app store marked "Trojans" since TBH that is exactlywhat they are, wheather or not they are actively trying to commit a crime with your phone. Violating your privacy for someone else profit so they can pimp the data out.
There was the case, a few years ago, of the fine upstanding gentleman who murdered his wife and wanted to get rid of the body....
Moral of the story: if you want to get rid of the wife, leave the phone at home when you do. Or feed her to the gators. Or, at least, don't turn on the flashlight app. Or just don't murder wife.
Just being very obvious.
Personally I use a firewall (the root free variety) and block any apps from accessing the data connection that I don't think needs it. I downloaded one app a couple of years ago and it wanted access to everything despite the fact that it had no need for most of it. It was one of those word search apps and I only downloaded it to use on a long train journey. It was trying to reach a large number of IP addresses and was a vast majority of the access requests that the phone was making. It was caning the battery too (about the same as Candy Crush) and I deleted it shortly after I spotted this.
Sure... Then you enter the country by car, drive through those license plate registration ports at the border, continue your journey while traced by the traffic/ speed cameras which have been deployed in the Netherlands on a massive scale "to prevent road casualties". Realising this, you decide to move to public transport, and purchase an "OV Chip card" with your credit/ debit card (cheaper! Cash sale limited and more expensive!), swipe it at the station entrance to gain access to the platform and train/ bus/ tram/ metro you want to go on. The advantage of this of course it that "one card works everywhere!". Swiping your card to be able to leave the station again (not doing so will result in an automated fine, conveniently received in the comfort of your own mailbox at and @ home (email registration required for purchase OV card), you indulge in a bit of shopping the Dutch stores (which now massively use in store device tracking for marketing purposes) and pay with your BSN (Dutch general purpose "citizens number", registered for everything, think social security number, but also used for health insurance, bank details, booking a trip, getting a speeding ticket, applying for a job, paying taxes, buying a telly. Really handy!) coupled electronic payment method. Being "foreign", you grab your cash, and the store attendant asks "if you can't pay electronically, preferably the Dutch, BSN coupled, PIN method. After all, cash is only used by tax dodgers, terrrorists, and criminals. You say sorry, no, you're foreign, and have no Dutch accounts. You slip the € 100 bill across the counter. "Sorry, we don't accept these. Don't you have € 50 or smaller?" You turn up a few coins, but not enough. "Sorry", the attendant says, "but could you please go to a bank to change?" [...] Arriving at the bank, the person at the till asks you for your passport so she can give the change ... ... ...
This is IRL Netherlands, no fiction. So I suppose it's safe to say they don't need terrain elevation...
I shouldn't feed the troll, I know, but...
The FBI, or any other arm of a government, can go to the phone company and get the cell tower location records directly. The article describes a method that can be performed by pretty much anyone.
Plus, if the FBI wanted to know Trump's location they could either ask the Secret Service, or just go to the nearest golf club that's next to a McDonalds.
How will the FBI illegally spy on Trump and hand info to the DNC if this gets fixed? I think The Register means to have this fixed... in 7 years.
I was asked by one of my non technological friends when Obama became President how they would keep him safe when he had a phone on him. They'd heard that it was possible to track a phone and find someone that way. I said he wouldn't be in much danger of that as he was protected by an army of people dedicated to keeping him safe and healthy. What I'd do to increase that security if it was me was have the phone only connect to a WHCA (White House Communications Agency) picocell transmitter. Then install one of these at the White House/Camp David/in the planes likely to be get the call sign Air Force One, USSS Road Runner vehicles etc. The calls are then routed back to the White House via various methods certainly not using local cell towers. As the President is never (or shouldn't be) very far from one of these cells his phone should be operating on very low power as a result. That should help with people trying to scan for his phone as they'd have to get quite close and would probably look suspicious enough to alert the USSS. I would also have a bunch of phones that connect to these pico cells so that you couldn't pinpoint one of them as belonging to POTUS.
The iPhones mentioned have barometers in them so can sense elevation (much more accurate than GPS elevation which is 1 reason why aircraft do not use GPS for elevation), but in a pressurised cabin it won't tell you outside elevation. by the time the plane is on the ground cabin pressure should be close to that of local so how do they know if the phone has been in the air or are they trying to just match phone reported elevation with that of known airports?
or are they suggesting the phone can regurgitate historical elevation data?
The phone app will have recorded the pressure data, showing that it was fluctuating at around the equivalent of 8000 feet for a period before equalising to the outside qfe pressure. The app would then send this recorded information.
"or are they suggesting the phone can regurgitate historical elevation data?"
From the article: "In the PinMe attack, the researchers went down the malicious app path" - if you're in control of the data collection process, then pretty much anything is possible provided the phone remains powered up...
"I keep location switched off because I know where I am. I have yet to find an app that tells me something useful about my location that is anything other than fucking irritating."
In all my years of owning a GPS capable smart phone, I've never once had to actually use it for figuring out where I am. I still turn on GPS regularly to use Google Daydream apps, coz Google insists, which wouldn't be so bad if they actually used that to figure out tho position of my head, instead of only using the rotation of my head. Google have no valid reason for needing GPS data in Daydream. Considering any VR app can drain my battery in a couple of hours, leaving the GPS turned off would be a good thing, the battery would last a little bit longer.
Yes. I was puzzled when my phone displayed my postion on a map app even though GPS and Location were turned off. Cell towers will still show where you are. You could switch to Airplane mode -- but then you can't receive calls/texts.
Slightly more worrying is the way Amazon etc calculate your street address via your IP address. And get it wrong. Careful when ordering or your neighbours may get your stuff.
"Slightly more worrying is the way Amazon etc calculate your street address via your IP address. And get it wrong. Careful when ordering or your neighbours may get your stuff."
Using my IP address to figure out where I am either results in the capital city of the Australian state to the south of me, or the data centre on the other side of the planet where my server lives, coz I proxy most web stuff through that server. IP to location data is only as accurate as your ISP tells the world, coz that's where the information comes from. If your ISP tells the world "all our customers IPs are located at our HQ in Sydney", tough luck. I wonder how many Amazon deliveries get sent there?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
