Android apps can be manipulated to access built-in sensors in smartphones and track your whereabouts and traffic patterns, without your knowledge or consent, a new study has warned. Researchers from Northeastern University in the US built an Android app and tested it.
Their system uses an algorithm that inserts data from the phone’s built-in sensors into graphs of the world’s roads. The researchers applied the algorithm to various simulated and real roadtrips.
For each trip, the system then generated the five most likely paths taken. The results showed that there was 50 per cent chance that the actual path taken was one of the five. “For USD 25, anyone can put an app on Google Play, the store for Android apps. Some of them may be malicious – no one is screening them,” said Guevara Noubir, professor at Northeastern University.
If an Android app wants to access sensitive user information, such as location, it must let the user know. However, often permission for such access is buried in terms-of-use agreements – the small print that many users do not read – or comes up after the app is downloaded, when access for that information kicks into gear.
Android apps present further privacy risks because they automatically have access to key sensors inside the phone that detect the device’s location, movements and orientation. Together these sensors can provide clues to everything from the route you take to work to whether you carry your phone in your pocket (the phone is relatively stable) or your purse (it swings).
“In our research we show that an app in fact does not need your GPS or Wi-Fi to track you,” said Noubir. “Just using these sensors, which do not require permissions, we can infer where you live, where you have been, where you are going,” he said.
To gauge the effectiveness of the system, the researchers conducted two types of tests. They simulated drives in 11 cities around the world including Berlin, London, Rome, Boston, and Atlanta.
They also got behind the wheel themselves, driving for 1,000 kilometres over more than 70 different routes in Boston and Waltham, Massachusetts. In both tests they collected scores of measurements derived from the phones’ changing positions, including the angles of turns and the trajectory of curves.
“Inferring a driving pattern from an Android app can lead to much greater invasions of privacy, such as where the user lives and works,” said Noubir. Additional information can then be gleaned by searching town and city public databases, he said.
“You should not install apps that are not familiar to you – ones that you have not investigated,” said Noubir. “Be sure that your apps are not still running in the background when you’re not using them,” he suggested. He also advises uninstalling apps that are not used frequently.