
How apps track your location without asking for permission - zhongjiewu
http://blog.trustlook.com/2015/06/02/how-apps-tracking-your-location-without-asking-for-permission/
======
haywardsmyfault
Very real issue to consider as we all try to guide Android's imminent
permission system update (Make noise and open issues!)

Is accessing nearby BSSIDs available in a similar fashion on iOS? A quick look
reveals:
[https://developer.apple.com/library/ios/documentation/System...](https://developer.apple.com/library/ios/documentation/SystemConfiguration/Reference/CaptiveNetworkRef/index.html#//apple_ref/c/func/CNCopyCurrentNetworkInfo)

~~~
eyesee
On iOS you can only access the information of the SSID you are connected to,
not a list of nearby networks.

~~~
Someone1234
Android has a lot of information leaks. I hate to keep beating this dead
horse, but as of last year Google gives every app you install access to your
cellphone number without them needing to ask for an extra permission
(READ_PHONE_STATE is now a freebie as far as the app store is concerned, it
isn't listed, in fact it will say "no special permissions" if READ_PHONE_STATE
alone is in the manifest).

I honestly think Android's permission system is a joke, and a sceptical Google
will fix the majority of the information leaks with this up-coming update.

PS - It is "interesting" that getting your google account address requires a
special permission on Android, but getting your phone number does not. Wonder
why that is? IMEI too.

~~~
haywardsmyfault
Actually as of the Android M preview you can get the user email address
without any permission guarding.

This is because GET_ACCOUNTS is under PROTECTION_NORMAL, and so it is
automatically granted at install time.

~~~
Someone1234
Ouch, that's certainly a step on the wrong direction. I guess they get points
for consistency, but they're being consistently bad.

~~~
mst
If they've found that users almost always say yes to it, that might be the
correct choice for being consistently usable even if you (and I) dislike that
choice.

~~~
JadeNB
Enabled-by-default is a defensible choice (even if we don't like it), but it
sounds like this is un-disableable, which I think is not defensible.

------
jimrandomh
I tried their proof of concept app on CyanogenMod. Its PrivacyGuard was not
fooled at all; it described the app as asking for Location permission, and it
blocked access to the list of wifi access points unless that permission was
granted.

------
hex1337
I wonder if this is a corner case of Google Play policy. Stealing privacy is
forbidden on GP, but nearby wifi AP should be considered as a public
accessible info.

~~~
redwards510
Since nearby APs indicate where you are, I'd argue that IS private
information.

------
XJOKOLAT
It just gets worse. Can someone with more knowledge than I please give an
opinion:

Does the iphone or cyanogenmod do this?

Are there any alternative phones/OS's which don't share your data?

Thanks,

------
ignoramous
I am surprised that this is even news to people. Fire OS uses Wi-fi to set
timezones (which means, by just knowing the BSSIDs, Amazon can pin point your
location). Similarly, IP Addresses, if you have tolerance for error, can
pretty much help you gauge (coarse) location as well.

It goes without saying that the OHA-Android [0] is a data mine for Google
already. With M, they're really upping that game [1]. Far worser things to
worry about.

[0] [http://arstechnica.com/gadgets/2013/10/googles-iron-grip-
on-...](http://arstechnica.com/gadgets/2013/10/googles-iron-grip-on-android-
controlling-open-source-by-any-means-necessary/)

[1]
[http://www.computerworld.com/article/2931084/android/google-...](http://www.computerworld.com/article/2931084/android/google-
now-on-tap.html)

------
magicalist
> _Note that these metrics are accessible even with system wifi and location
> disabled_

Can someone explain this? It doesn't seem to make sense that with wifi
disabled this would be possible (and the code they link to specifically has a
fall through if wifi is disabled). Maybe something just got jumbled up in
their explanation.

~~~
tarentel
According to the paper:

"the Android OS by default performs WiFi scans in the intervals of tens of
seconds, even when the WiFi is turned off; the setting to disable background
scanning when WiFi is off is buried in the advanced settings."

It looks like you can stop this from happening when the WiFi is off it just
requires an extra step. I don't have an Android device so I can't really
verify this.

~~~
click170
The option you are looking for is called "Keep Wi-Fi on during sleep" and it
can be found under Settings -> Wifi -> Advanced on Android 4.3. This is the
only device I can test with.

I advise turning it off unless you _need_ it to be on, not only for privacy
reasons but for battery life. I noticed an increase in battery life by turning
that feature off.

~~~
harmarsupercar
On a Samsung Galaxy S5 running Lollipop (5.01?) it's under Wifi -> Advanced ->
Always Allow Scanning.

With this turned off and GPS turned on (ie, not using Wifi to determine
locations) I get a terrible reduction in battery life because all locations
are done finely with the GPS chip. With all location services disabled I get
much better battery life.

------
yincrash
Basically doing what the coarse location provider does anyways, which is
corollate visible APs on the device with a db of mapped APs.

Yes, it's possible, but constantly scanning for APs will have the side effect
of an app draining battery even faster than if it used the phone's location
service.

~~~
halviti
During the Android setup process it asks you if you want to enable this
feature and has a side note that these scans are specifically to save battery
life because they take much less energy than typical location services.

~~~
yincrash
Yes, wifi scan location takes less power than GPS location. Rolling your own
wifi location service in an app will take more power than the framework's
service, however, and it will almost certainly be less optimized.

------
jpmonette
So what is that tool name mapping the BSSIDs on a Google Map?
[http://blog.trustlook.com/wp-
content/uploads/2015/06/Screen-...](http://blog.trustlook.com/wp-
content/uploads/2015/06/Screen-Shot-2015-06-02-at-6.13.30-PM-1024x474.png)

------
hitlin37
may be they fix it as a new feature after Google M.

------
izacus
The original title of the article is "How apps track your location without
asking for permission".

Reading the article to the end:

>> The same method also applies to iOS, which has greater user location data
privacy protection. Nonetheless, iOS still allows acquiring the current
connected wifi BSSID. A user can deny the location requests on an iOS device
at will. However, an app using wifi BSSID can still get a user’s static
location without asking.

So singling out Android in HN submission title is grossly misleading.
Especially since reading this comments shows that people don't read the
articles posted -_-

~~~
the-dude
> So singling out Android in HN submission title is grossly > misleading.
> Especially since reading this comments shows > that people don't read the
> articles posted -_-

I have always considered HN the 'new Slashdot'

