If you have an Android device, it is possible your every move is being tracked right now, even if you've never given your apps permission to do so.
Your phone could be secretly telling a company about your drive to the office, the trail you run on during lunch, and your final trip of the day to the driveway at home.
A new study shows how this is happening and the reason it is possible.
Professor Guevara Noubir, at Northeastern University in Boston, says Android apps automatically can communicate with sensors inside your phone that detect the phone's orientation, movement, and location. No opt-in required.
“In our research we show that an app in fact does not need your GPS or Wi-Fi to track you,” says Noubir. “Just using these sensors, which do not require permissions, we can infer where you live, where you have been, where you are going.”
Professor Noubir and his team did this study in the real world by creating an Android app that did actual tracking around Boston and other parts of Massachusetts. The team also simulated drives in nearly a dozen cities around the world, where they were actually able to infer a driving pattern.
Noubir told SecureWorld this is why the findings and research matter: "These attacks are part of a larger theme of what is called side-channel attacks. Such attacks escape the security models considered by secure systems designers. Our goal is to understand their potential, and mitigate them before they are exploited. We are currently developing a framework to limit the potential of such attacks."
And what about iOS apps? Is there a risk of side-channel attacks, SecureWorld asked? "Both platforms are potentially vulnerable to such attacks, and we are currently collaborating with Google researchers to better understand and mitigate these attacks," Noubir said.
How many apps are secretly tracking your movements? Great question. And that is what the researchers plan to tackle next.
The SecureWorld team will let you know what they find.
Want to get technical? Here is the PDF of the actual study relating to Android app privacy and the "Zero-Permission Mobile Sensors."