More than 100 mobile apps leak users' location regardless of whether they opt to keep the information private, according to researchers.
Power consumption data is the source of the leaks, which make it possible to determine users' whereabouts with 90 percent accuracy.
A quartet from Stanford University and Israeli defence contractor Rafael developed an app called PowerSpy to demonstrate the leak.
“Modern mobile platforms like Android enable applications to read aggregate power usage on the phone … We show that by simply reading the phone’s aggregate power consumption over a period of a few minutes an application can learn information about the user’s location,” the team wrote in the paper PowerSpy: Location Tracking using Mobile Device Power Analysis (PDF).
“Aggregate phone power consumption data is extremely noisy due to the multitude of components and applications simultaneously consuming power.
“Nevertheless, we show that by using machine learning techniques, the phone’s location can be inferred.”
Power consumption increases the further a user is from a base station and the more objects are in the line of sight between the two.
If an attacker has a general idea where their target is they can track them by plotting these variations, the boffins say.
The major limitation to such probes is that attackers would need to have first travelled routes to build a profile of what consumption looks like, a feat which the boffins completed by cruising around California's Bay Area and Haifa, Israel.
Machine learning techniques showed that the team's custom algorithm could see through the significant variables in power consumption such as phone calls and the use of other apps to achieve accurate tracking.
“Intuitively, the reason why all this noise does not mislead our algorithms is that the noise is not correlated with the phone’s location. Therefore, a sufficiently long power measurement [of] several minutes enables the learning algorithm to 'see' through the noise,” they said.
The work covers the ability to determine routes, track in real time, and handle interference, and does not rely on access to restricted data or other secondary attacks.
Victims need only install an attacker's app, in this case PowerSpy, that had benign access to network connectivity and battery consumption.
PowerSpy pulls signal strength, voltage, current, GPS coordinates, temperature, state of discharge (battery level) and cell identifier during experiments using Nexus 4 mobile devices chosen for its popularity.
The boffins, Yan Michalevsky; Dan Boneh; Aaron Schulman, and Gabi Nakibly said their attacks could be made more effective with time.
They said power consumption information should be considered as risky as other location information and that apps should be put through a security test before having access to it. ®