It makes sense to allow certain apps to access your location data, and sharing that information even with apps that may not need it may not seem like a big deal. However, researchers have discovered that many apps access location data in an insecure way that could allow a hacker to track down or identify you.
I wrote a blog post on the risks posed by location data on insecure mobile apps:
It seems like just about every mobile app you install these days requests access to your location data. Most seem to have some valid use for that information, and sharing location information makes the app more useful, so why not? Even though you may not be worried about sharing your location with the app, a presentation at Shmoocon this weekend will demonstrate how poor coding in mobile apps could expose your location to anyone.
Colby Moore, a security research engineer with Synack, and Patrick Wardle, director of research for Synack, are scheduled to present a session titled There’s Waldo! Tracking Users via Mobile Apps on Saturday at noon. The abstract for the session claims that the Synack researchers were able to track and pinpoint the locations of tens of thousands of users. They were able to detect location in real-time, as well as uncover patterns and schedules and, in some cases, even determine the exact identity of the user.
Much of the research revolves around the Grindr app—a dating app used by gay and bisexual men to meet other interested parties. Synack shared the concerning issues with Grindr but, as my peer Steve Ragan wrote in September of last year, nothing was done to correct the issue until it was discovered that authorities in Egypt were leveraging the flaw to enforce anti-gay laws.
The Synack researchers plan to talk about common classes of geolocation bugs and illustrate how developers often use location data in an insecure manner. Some geolocation APIs default to the highest level of accuracy, enabling them to reveal the precise location of the device.
Check out the complete post on CSOOnline: Location tracking on mobile devices is putting users at risk.