Mobile Device Location Tracking, and Why It Matters

Throughout the past decade, there has been a substantial increase in mobile device usage. From smartphones to tablets, most individuals possess at least one. More and more people now have ready access to a substantial amount of data through mobile devices, particularly location finding services and applications. In addition to the data available to these devices, a large amount of potentially sensitive information is stored locally on the device itself. Contacts, SMS messages, website history, and location data is all information which can be used potentially both in a court of law and by criminals or unknown parties. It is important to understand who can access this information, and what steps can be taken to ensure that only authorized parties can access it.

One important piece of information stored on mobile devices is location data. Location services, often utilized in map/direction applications available on such devices, help users find nearby businesses and other areas of interest. Focusing on location-based data on mobile platforms, it is important to understand how this information is collected on these devices, as each method has it's own levels of precision. Location service information is typically obtained in three different ways—global positioning systems (GPS), cell tower triangulation and via Wi-Fi hotspots.

Initially designed for military use, GPS provides the most accurate positioning information at this time, and is equipped on most smartphone devices. Less accurate than GPS, cell tower triangulation utilizes information obtained from three or more cell towers in order to triangulate a user's location.

Skyhook Wireless originally developed the ability to track mobile devices via Wi-Fi hotspots; however, Google and Apple have also developed this technology. Wi-Fi hotspots tend to be stationary and can be used as a landmark by mobile devices; knowledge of where the mobile device is in relation to wireless hotspots provides for the ability to find an individual's location with a reasonable level of accuracy. As there are almost always more points of reference compared with the cell tower triangulation technique, the level of accuracy when using Wi-Fi hotspots will generally be more accurate.

When it comes to location services and tracking, the most important elements are the latitude and longitude value of a mobile device's current location. How this data is collected has recently been an issue of debate in the judicial system.

The main focus of debate stems from law enforcement's authority to obtain location information without a warrant. By requesting this data from cell phone providers without a warrant, it removes the need for a judge to review the circumstances and determine if it is justified, which can lead to abuse from law enforcement. Chief Judge Royce Lamberth of U.S District Court for the District of Columbia passed a ruling in October of 2011 that stated that prosecutors do not need a warrant in order to request cell phone location data. This decision overturned a ruling made by a magistrate judge in August, which outlined a need for a warrant in order to obtain an individual's cell phone location data.

Location services, as with any sensitive data, have the ability to be abused by third parties. There have been a number of cases of potential abuse, and a large coordinated effort by the American Civil Liberties Union (ACLU) was initiated in order to request details on requests for location information made by law enforcement (ACLU, 2011). In total, 381 requests were made in 32 states across the country with law enforcement agencies of various sizes. The requests are being made in order to determine precisely how these records were requested, and how this information was utilized. By making these inquiries, the ACLU may expose potential misuses of requests made by law enforcement. As the current policies surrounding these requests are often vague or non-existent, the ACLU hopes to provide more clarity around how law enforcement makes requests for individual's data, which will lead to the general public will have more information about how and why law enforcement can request access to their personal information.

Location data obtained from cell phone providers is not the only issue that has garnered attention recently. The storage of location data has become an increasing concern since April 2011. In this month, stored historical data was discovered by security researchers on both iPhone and Android devices. This information was being stored locally and at no time was Apple or Google viewing it. Although no sensitive information left these devices, it raised a concern about information being collected without user consent. Additionally, by storing the historical location data on the devices themselves, it could provide additional information in the event authorities ever had cause to search an individual's cell phone data. No longer would a request to the cell phone provider be required, as at least some of the historical information would be stored on the devices themselves. While this information is still available on Android devices, the iPhone platform was updated to reduce the size of data stored on the device, delete these files completely when location services are turned off, and encrypt this data on the device, which assists in limiting unauthorized access.

While legitimate requests to view current and historical location data of a user are primarily made by law enforcement, many cases exist where individuals or organizations are provided with this information, often without the user's knowledge. A study performed by The Wall Street Journal (The Wall Street Journal, 2010) of 101 applications available for the iPhone and Android platforms showed an alarming number of approved applications that send location data to the application owner or third parties. Where this location information is being stored, or how this information is being utilized, is unknown, as there is no enforcement surrounding this functionality after a user provides consent. The issue of data abuse in mobile applications is further inflated when mobile malware, or malicious applications running on mobile devices, is considered.

Malware targeting mobile devices, specifically on the Android platform, has risen exponentially in the past year. While there have been instances of malware on the iPhone and Windows platforms, Android's open marketplace, coupled with the user's ability to choose third-party marketplaces, has fostered a large number of malicious applications. The majority of these applications are often discovered on third-party sources; however, there have been instances of malicious applications being placed on the official market, and subsequently removed by Google. The most common way a mobile device becomes infected is when a user installs a malicious application. Malware will pose as a legitimate application in order to entice a user to download and install it. Installing applications from third-party markets, however, is not the only way to get infected. Simply navigating to the wrong website or plugging these devices into the wrong computer can also lead to a malicious application installation. One current trend seen in the wild at this time is when a user is asked to install a legitimate application, a malicious update is pushed out immediately afterwards. Once installed, these applications will often send SMS messages to premium-rate numbers, record phone calls, collect contact information and, in some cases, record location data as well. This information is then sent to the attackers, where it can be sold or used for illegal purposes.

Criminals can use location data on individuals in many ways. Knowing exactly when a person leaves their house, and when they are returning is a substantial help when planning a robbery. Alternatively, knowing the location of an individual will often reveal intimate details of their life, which can in some cases lead to other crimes, such as blackmail. These are but a few examples of the things for which criminals can use this information. As they say, knowledge is power, and in the wrong hands, there is a lot of power in the location data of one or more individuals.

In order to protect themselves from abuse concerning location data from unauthorized third parties, users should follow a number of best practices. Individuals are strongly encouraged to thoroughly review the permissions needed by any applications that are installed. Common sense will often provide the best guidance. For example, it is unlikely that a mobile game would need the ability to send SMS messages, look at an individual's contact list, or view location data. As malicious applications are one of the largest vectors of infection on mobile phones, thorough review should be performed before any software is installed. Additionally, users are encouraged to avoid viewing unknown or suspicious websites. Much like computers, websites can often be used as an avenue of attack against end-users. Security researcher Eric Monti demonstrated this in 2010, when he was able to successfully take full control over an iPhone via an exploit executed in a web page. A third precaution includes preventing physical access to a mobile device. Strong pin codes should be set in order to deter individuals with physical access to a mobile device from gaining access. Additionally, encryption or some form of remote wiping software can be used to prevent access to sensitive data on mobile device in the event that it is lost or stolen.

The strongest safeguards for sensitive data, including location data, should be put into place from a legal standpoint as well in order to avoid unauthorized use. As with all emerging technology, laws must catch up to ensure those who should not be accessing individual's personal information are prosecuted if found to be doing so. We've seen multiple ways that a person's location data may fall into the wrong hands, and each scenario presents a unique set of challenges. As cooperation between those who work in the information security industry and those who work in the judicial system continues to increase, the gap between evolving technology and the laws that govern it will begin to decrease.

Citations

ACLU. (2011, October 14). ACLU - American Civil Liberties Union. Retrieved November 2, 2011, from Cell Phone Location Tracking Public Records Request: http://www.aclu.org/protecting-civil-liberties-digital-age/cell-phone-location-tracking-public-records-request

The Wall Street Journal. (2010, December 18). The Wall Street Journal. Retrieved November 2, 2011, from What They Know - Mobile: http://blogs.wsj.com/wtk-mobile/

United States District Court For The District of Columbia. (2011, October 3). Memorandum and Order. Retrieved November 2, 2011, from http://legaltimes.typepad.com/files/lamberth_ruling.pdf

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.