User Beware: Your Smartphone Is Tracking Your Every Move

Every breath you take and every move you make

Every bond you break, every step you take, I'll be watching you

Every single day and every word you say

Every game you play, every night you stay, I'll be watching you…

 

In 1983, when the band The Police released the hit song, Every Breath You Take,  I am sure they had no idea its lyrics would so aptly describe how smartphones can be used today. From services to apps, users of smartphones are unwittingly consenting to being tracked in real-time by a multitude of companies for the purposes of providing “requested features, integrations, user experience improvements,” and many other laudable-sounding reasons. What is not known by many users is that detailed information on their precise location and activity is being beaconed out by their phone and collected, shared, and sold to numerous organizations that aggregate these data sources with others to build a user profile that would make spy agencies and repressive governments green with envy.

The necessity and utility of smartphones is unarguable in today’s society. This article is not intended to suggest that individuals discard them. Instead, its purpose is to provide some insight into the unintended privacy and security implications of using smartphones. In addition, the recommendations detailing steps to limit what personal information is shared are not meant to be comprehensive; they only provide some level of awareness and control. Unfortunately, you can implement all of the suggested security and privacy controls listed below and still be tracked with full fidelity.

While this article is focused on smartphone data trails, all sorts of other devices, such as your vehicle’s entertainment system, your fitness tracking device, smartwatch, and just about any other device that emanates a network signal – including cellular, Wi-Fi, Bluetooth, and near-field communications (NFC) – can be used to track your location and other identifying information. In the case of a smartphone, all of these network signals could be compiled to essentially publish a diary of your daily activities for the world to read.

Below are some tips for mitigating smartphone security and privacy risks.

1. Physical Security and Access: Smartphones are easy to lose and just as easy to steal, so it it important to start with physical security. Make sure you keep your smartphone in sight or secured at all times and protect its contents by implementing a screen lock that requires a passcode, fingerprint, or face ID for access. If your unlocked device is stolen, that individual now has the keys to your kingdom.

2. Beaconing Services: Upon powering on your phone, one of the first things it does is register itself with the nearest cellular tower. Since most people need the cellular network for voice and data communications, it may not be practical to turn off cellular access. And, even if you did, your phone would still send out beacons if Wi-Fi or Bluetooth are enabled. To shut down beaconing services, consider enabling airplane/flight mode. You will still be able to play music and look at data already stored on your device, but you – and your device – will not be able to communicate wirelessly.

Near-field communications (NFC) is used for various payment services. For example, NFC is used for Apple Pay on an iPhone. If you do not setup Apple Pay, then NFC will not be activated; however, there is no way to deactivate NFC on an Apple device if Apple Pay is set up. For Android phones, NFC can be disabled in the Settings -> Connected Devices -> Connection Preferences screen.

3. Location Services: Mapping apps on your smartphone have all but eliminated the need for paper maps or stopping to ask a stranger for directions. Google Maps, Apple Maps, Waze, and other mapping apps use the GPS service on your phone to identify your location and provide directions to your destination of choice. It makes sense to enable location services for mapping apps, but there are numerous apps that have no need to know your location but still request access. If your free flashlight application requires location services, then you must really be lost. Similarly, 2+2=4 regardless of where you are, so calculator apps do not need access to your GPS. Even weather apps do not need to use the GPS on your phone, and users simply need to type in the location of where they want to know the weather. Many of these apps – the free ones in particular – request excessive, unnecessary permissions in order to sell the data they collect from you, including your location data.

Apple and Google provide a number of options that allow users to control location settings and which apps have access to them. Smartphone owners are advised to review their phone’s location settings and only enable them as necessary for use by applications that you approve. Location Services settings for iPhone can be managed from the Settings -> Privacy -> Location Services screen. For Android devices, swipe down on your screen and tap the location icon to configure your device’s location services.

              

Apple Location Settings                           Android Location Settings

4. Apps: Prior to downloading and installing an app, conduct some research. If the app is storing sensitive data, is it encrypted in transit and at rest? Many app makers include privacy policies that are so obtuse and confounding that reading them provides no insight whatsoever into what they are doing with your data. At the very least, make sure they have a policy and try to obtain some more information on how they treat your data. Read reviews and search for complaints made against the company or data beaches it may have suffered. It is ironic that the genius of Steve Jobs was to make the iPhone so intuitive and simple that anyone could use it, yet the privacy policies and terms of service for using an iPhone and its apps are anything but simple and intuitive.

Once an app is installed, review the privacy settings on your phone to control what it can access.  Does the app need to access your contacts, calendar, or photos? Configure privacy settings as appropriate. Apple and Google continue to implement privacy restrictions for apps they allow into their app stores, and keep your apps up to date.

Paranoia or Real Threat TikTok is a very popular short-form video sharing/social networking app that is also at the center of ongoing security and privacy controversy due to the fact that it is owned by the Chinese technology company, ByteDance. As a registered Chinese company, ByteDance is required to fully cooperate with the Chinese government. As such, there are national security concerns about user data the Chinese government might require ByteDance to provide.  Analysis of various versions of TikTok have been found to collect the keystrokes of users, make screen captures every few seconds, access data from the phone’s clipboard, and collect the unique Media Access Control (MAC) address of the device, among other user information.  That data may include your passwords and other sensitive information you enter or access – not only into TikTok app, but also all the other apps you use on your device, e.g. email, text messages, eHealth apps, etc. Due to these issues and ByteDance’s ties to the Chinese government, the US Department of Defense, various federal agencies, corporations, and governments around the world have banned TikTok from being installed on their devices. To be fair, TikTok is not alone in collecting user data. Many apps do, and while those app makers may not provide that data directly to the Chinese government or other regimes that pose national security risks, those governments may ultimately obtain that data through intermediary companies and brokers. Users and organizations must be aware of these risks before installing apps on their phones. Earlier this month, President Trump issued an Executive Order requiring China's ByteDance to divest ownership of its United States assets. In addition, ByteDance is required to destroy all of its copies of TikTok data attached to United States users and inform the Committee on Foreign Investment in the United States (CFIUS) when it has destroyed the data. ByteDance is challenging the order in court.

5. Software Development Kits (SDKs): There are millions of mobile apps in the Apple App Store and Google Play, and the vast majority of them use third-party code libraries, Application Program Interfaces (APIs), and SDKs to facilitate the creation of an app without having to write every line of code from scratch. SDKs allow app developers to easily add features and functionality to the apps they are developing. Yelp and Uber, for example, use SDKs from Google Maps to provide mapping functionality. Some apps will allow you to login using your Facebook or Google credentials, functions made available by SDKs from Facebook and Google, respectively. Apple and Google also provide app developers with SDKs that allow them to take advantage of their respective smartphone operating systems or add features such as machine learning, artificial intelligence, etc. For app developers - why reinvent the wheel?

Many app users are unaware of the fact that apps may also be sharing your user information – location and activity – with the SDK providers and others. It is not only the users who do not know what information is being shared and with whom, but sometimes, the app developers do not even know.

As the COVID-19 pandemic took hold across the United States, Tectonix Geo produced an animated video tracking the smartphones of spring break revelers after they left Fort Lauderdale. The location tracking data Tectonix Geo used to create the visualization was obtained from Xmode.io, a company that provides app developers with a location SDK. Xmode also collects and then sells the location data to advertisers. The resultant video is interesting; however, the fact that these users were unknowingly being tracked is highly concerning.

Screenshot of Tectonix Geo Spring Break Video

Xmode is not alone. A quick internet search for location SDKs will result in pages of search results for different companies that provide these services. Location SDKs are in thousands of apps, unbeknownst to their users. In real estate, "location, location, location" defines the value of a property; likewise, in user data, location equals value.

The product being sold is you – your location data. Apple and Google continue to refine the controls within their operating systems to limit what user data SDKs collect and share; however, until strong privacy laws reel in the mobile app ecosystem, SDKs will continue to be an issue.

Note: As this article was being written, the cybersecurity company, Snyk reported that it found malicious code hidden inside the iOS SDK of Mintegral, a Chinese-based advertising platform.

6. Ad Tracking: On desktop and laptop browsers, website administrators use cookies to personalize your user experience. Cookies are also used to track your browsing activity and serve advertisements. However, on smartphones, cookies are not as effective, so companies use your device’s Mobile Advertising Identifier to serve you personalized ads. The Mobile Advertising Identifier is a unique identifier used to identify and target mobile phone users. The ID does not contain personal details about you such as your name or address; it identifies your phone and, based on your app usage, activity, or location, will send relevant advertisements to your device. One reason apps are available for free or at low cost is because they are supported by ads. If you ever wondered why you are seeing advertisements for new cars after visiting an automobile dealership, it is because your phone and the advertisers know what you have searched.

 

You can disable ad tracking in both Apple and Android devices.

 

For Apple IOS devices, toggle on the “Limit Ad Tracking” setting under Settings -> Privacy -> Advertisements. By doing so, the “Limit Ad Tracking” setting will be enabled for all Apple devices tied to your Apple ID. Keep in mind, this setting only limits ad tracking. Based on your usage and activity, you may still see some targeted ads. If you prefer to allow ad tracking, you may want to consider resetting your device’s Advertising Identifier periodically to make it more difficult for advertisers to target you. More information about limiting ad tracking on Apple devices can be found here.

Apple Ad Tracking Settings

For Android devices, disabling ad tracking is a similar process. Toggle the “Opt out of Ads Personalization” setting that can be found under Settings -> Google Settings -> Ads. From the same screen, you can reset your device’s Advertising ID.

Android Ad Tracking Settings

Some ad tracking companies have also provided users with the ability to opt out of having their information included in their databases.

7. Browser Settings: Your mobile device browser activity also provides advertisers, data brokers, and others with a treasure trove of information about you. The Apple Safari and Google Chrome browsers included with Apple and Google devices, respectively, provide users with a number of settings to help manage your privacy.

To adjust the privacy and security settings in Safari, navigate to Settings -> Safari and toggle on/off the setting as appropriate. 

• Prevent cross-site tracking: Toggling this setting will prevent sites from tracking where you go and what you look at when visiting other sites.
• Block all cookies: Cookies are created when you visit a site and can be helpful in personalizing your user experience, but they also may be used to collect information on you and serve advertisements. Blocking all cookies will also prevent cross-site tracking; however, it may also result in a less than acceptable user experience especially for sites you visit frequently.
• Clear Browsing History

Additional information on Safari browser privacy settings can be found here.

Safari Settings

 

On an Android device, open the Chrome browser and tap the icon containing three vertical dots and select Settings -> Privacy from the menu. Toggle the “Do Not Track” switch to prevent tracking across sites and consider clearing your browsing history. More information on Chrome’s privacy settings can be found here.

Chrome Settings

 

Conclusion:

Disabling location services, managing your mobile apps, limiting ad tracking, and enabling privacy settings in your device’s browser will help mitigate the risks of being tracked or having personal information exposed, but they will not eliminate these risks. Following these recommendations may also result in diminishing the utility and functionality you expect from your smartphone. While this article has focused on many of the abuses of location tracking, there are valid reasons for organizations to collect and track users’ locations. For example, during the COVID-19 pandemic, location tracking can be used to help prevent the spread of the virus.

Monetizing user information through advertisements is a successful business model that has worked for companies like Google, Facebook, and many others in the internet technologies industry, but with it comes the potential for privacy abuses. With the plethora of user information collected through mobile devices, nations that do not respect user privacy, terrorist groups, and others with nefarious intentions may develop apps that seemingly provide functionality, recreation, or other user value, but in reality, act as a front for gathering intelligence to further their illicit activities. While you may not pay for a mobile service or application, it will often cost you in the form of your personal user data.

Further Reading:

The following selected resources provide readers with additional information on mobile device location privacy concerns and some risk mitigation strategies:

• New York Times: One Nation, Tracked - An Investigation Into the Smart Phone Tracking Industry
• Vox: The hidden trackers in your phone, explained
  Wall Street Journal: Your Location Data Is Being Sold—Often Without Your Knowledge
  Vice: I Gave a Bounty Hunter $300. Then He Located Our Phone
• National Security Agency: Limiting Location Data Exposure
• New York Times: How Your Phone Is Used to Track You, and What You Can Do About It
• Computerworld: How to Stay as Private as Possible on Apple’s iPad and iPhone
• Digital Trends: How to Improve Your Android Privacy
• CNET: 7 security tips to keep people and apps from stealing your data