Any Android phone can be turned into a tracking device using its sensors without the user knowing, according to researchers at Northeastern University.
Apps can access the motion and orientation sensors in an Android phone without explicitly asking for permissions, as sensors such as GPS do. This information can be used to generate an accurate picture of where someone is travelling and even where their phone is stored.
“An app in fact does not need your GPS or Wi-Fi to track you,” said Guevara Noubir, the lead researcher behind the study.
Noubir’s team of researchers demonstrated this using an app that had access to the phone’s accelerometer, gyroscope and compass without being granted permission in the normal way.
They created an algorithm that could place data taken from the sensors onto OpenStreetMap’s maps of the world’s roads to work out the five paths a phone could have travelled between any given points.
“Just using these sensors, which do not require permissions, we can infer where you live, where you have been, where you are going,” said Noubir.
The researchers tested the app by simulating road trips around 11 cities, including Berlin, London, Rome, Boston and Atlanta, while the app tracked their phones’ position, the angles of turns and the trajectory of curves.
The app then suggested five routes it thought they could have travelled, 50 percent of the time one of which was the actual journey.
According to the researchers, the method could be used to gauge information such as how you travel to work, along which route and whether you carry your phone in your pocket, where it’s relatively still, or your purse, where it swings.
“Inferring a driving pattern from an Android app can lead to much greater invasions of privacy, such as where the user lives and works,” said Noubir. Coupled with publicly available information, “adversaries can recover lots of details” about a victim.
Noubir is now going to investigate to what extent this kind of tracking is happening to Android users.
How to protect yourself
The best way to protect yourself from malicious apps that could be tracking your movement and behaviour is to only download apps you’re familiar with, and read reviews on the Google Play Store before installing.
Make sure you check the permissions that an app’s asking for and what background activity it’s conducting, and, if you don’t use it very frequently, delete it.
“For $25 (£19), anyone can put an app on Google Play,” said Noubir. “You should not install apps that are not familiar to you – ones that you have not investigated.”
“Be sure that your apps are not still running in the background when you’re not using them.”