Researchers in Denmark say that it’s child’s play to track your Android phone via Wi-Fi even if the Wi-Fi is nominally turned off – and even if you didn’t let an app track your location.
Apps distributed via Google Play have to enumerate the precise permissions they require in order to function – something simple like a flashlight doesn’t (or shouldn’t, anyway) require anything more than access to the camera, so that it can use the flash. More complicated apps with deeper features might need more extensive permissions, including access to the phone’s location data, whether that’s obtained via GPS or Wi-Fi.
However, said Technical University of Denmark Ph.D student Piotr Sapiezynski and his team in a paper published last week, any apps that have access to Wi-Fi connection information can easily track the physical locations of their users, even if the specific permission for location tracking wasn’t given.
The research team made its tracking app available publicly on Google Play, so I decided to give it a whirl. It’s a small app, at 190K in size, and installed quickly on my HTC One M7, which is running a recent nightly of CyanogenMod. The only permission it asked for was access to Wi-Fi data, which I disabled before installing, along with location services.
Initially, it looked as though the experiment hadn’t worked – the app displayed a message saying that it didn’t have any data to work with. I thought, perhaps, that my after-market Android install didn’t constantly search for Wi-Fi networks the way other versions do.
However, after checking in on the app about 45 minutes later, I got this:
Network World’s offices, precisely located, via an app that doesn’t ask for permission to locate you. Some of the most-downloaded apps on the market had this capability, according to Sapiezynski and his fellow researchers – including Candy Crush, Angry Birds and Pandora.
“We are not suggesting that these or other applications collect WiFi data for location tracking,” the paper read. “These apps, however, do have a de facto capability to track location, effectively circumventing Android permission model and general public understanding.”
The research itself tracked 63 students for a period of 200 days, finding that it was easy to identify workplaces, homes, and so on, based on as few as 20 queries to Wi-Fi geolocation data providers like Skyhook or Google.