Research from the Indian Institute of Technology (IIT) Delhi has raised concerns about mobile applications that request location access, indicating they may inadvertently disclose critical private information. This study was published in the journal ACM Transactions on Sensor Networks and highlighted a system known as AndroCon, which demonstrates the potential risks associated with “fine-grained” GPS data accessible to Android apps.
The researchers revealed that by utilizing precise location permissions, AndroCon can act as a covert sensor, capable of interpreting various low-level GPS parameters. These include factors such as Doppler shift, signal power, and multipath interference, which can provide insights into users” activities and environments without the need for cameras, microphones, or motion sensors.
According to the findings, AndroCon can determine whether a person is sitting, standing, or lying down, and can even identify their location, whether it be inside a metro, on an airplane, in a park, or in a crowded outdoor setting. Additionally, it has the ability to assess the density of individuals in a room, indicating whether it is crowded or empty. This research was led by Soham Nag, a Master of Technology student at the Centre of Excellence in Cyber Systems and Information Assurance at IIT Delhi.
The study showcased that AndroCon achieved remarkable accuracy rates, with up to 99 percent precision in recognizing surroundings and over 87 percent in identifying human activities, including subtle actions like hand-waving near the device. Prof. Smruti R. Sarangi from the Computer Science and Engineering Department noted that the system combines traditional signal processing techniques with modern machine learning approaches.
Moreover, the framework can also create indoor floor maps by identifying rooms, staircases, and elevators, maintaining a margin of error of less than four meters using only GPS data and user movement patterns. While the potential for innovative, context-aware services exists, the study emphasizes a significant security vulnerability: any Android application with precise location access could infer sensitive contextual information without the user”s explicit consent.
“This study reveals an unseen side of GPS: a powerful but silent channel that can sense the world around us,” said Sarangi. “AndroCon transforms a common smartphone into an unexpectedly precise scientific instrument, reminding us that even well-known technologies may harbor hidden secrets that could be exploited by malicious actors.”
In light of these findings, users are advised to be cautious about granting location permissions to mobile applications to protect their privacy.
