Privacy Invasion – These Apps Know Where You Live (Literally)

Published on May 8, 2015

There are lot of things about apps that we all take at face value. We allow our apps permissions - ability to access contacts, turning on location services - in order to let them work the way they're supposed to.

Most of the time, it makes sense. Obviously apps like maps and weather apps function best when they know where we are. We are willing to sacrifice a bit of privacy for these functions.

However, Wired recently detailed the hidden danger behind allowing apps to "ping" our location. Specifically, Carnegie Mellon took a deeper look at just how many times these apps tap into our locational information. The answer? In this study, Thousands - 5,398 location pings in 14 days, to be exact.

Is "Location Pinging" Justified?

Frequency and volume alone aren't the main concerns, as a navigation app would justifiably have direct need for that information. Apps like Facebook and Groupon, however, enter into shadier territory.

This study targets Groupon as a frequent pinger, requesting location information 1,000 times over a 2 week period for a specific participant. Groupon's Bill Roberts maintains that this data is indeed justified, as it allows them to deliver the best location-based deals for their goods and services, and doesn't share the data with third parties.

“We access a user’s location, when permitted, in order to show our customers the most pertinent deals near them. We do not share individual location data … On Android, you opt-in to location tracking when you download the app. On iOS, this is done on the device when you first attempt to use location.”

On the surface level, we get the usefulness of location pinging for Groupon. But on a 70 times-per-day frequency?

Groupon isn't alone. Even flashlight apps are requesting permission to access your location information without any justification whatsoever. As Wired aptly notes, some of these apps are able to access enough locational information about you to plot your daily routine on a map.

How Apps Capitalize on Location Pinging

The simple truth of the matter is, location pinging isn't just being used for straight functionality or improvement of user service. It is being used for profit.

Mobile ad networks seem to be a common source for location pinging, according to Jason Hong, head of CHIMPS Lab (Computer Human Interaction: Mobility Privacy Security) at Carnegie Mellon. Apps DO, in fact, sell your location information to third-party services so that they can develop location-based ads tailored for you.

App "Privacy Grades" by CHIMPS Lab

From this information, CHIMPS Lab has develop a grading system - A+ to D - based on privacy practices of Android apps. They use a combination of crowdsourcing and code analysis for the ranking system. Here are some common apps which have received "D"s:

  • Words With Friends
  • Jetpack Joyride
  • Fruit Ninja Free

The "D" ranking goes to apps that ask to do too much in addition to pinpointing your location, like writing to your phones USB storage, sending texts, acquiring microphone data, contact list data, and others.

Why Do Apps Perform This Privacy-Offending Behavior?

The reasoning behind these sketchy practices is quite simple: offer the app for "free" while capitalizing on advertisements. It is a practical way to garner downloads and receive compensation for the app itself.

Apps generally hook in to pre-existing advertising networks, according to Hong. They use advertisement code generated and circulated from other websites (like the Facebook ad library or the Twitter ad library). It's easy for developers. So easy, in fact, that many developers aren't aware how shady their app's behavior can be to accommodate for these features:

“Facebook has a library to access the Facebook services, Twitter has one, advertisers have one, and so forth," states Hong. "It makes it really easy to reuse other people’s code. A lot of these apps, the privacy problems usually aren’t with the app itself but often with the libraries. It’s usually the advertising library that’s trying to get your location data.”

Reclaiming Your Privacy Control

There is no one simple solution for taking back your mobile permissions. Choosing non-invasive apps and deleting particularly aggressive apps is certainly a start, and really the only foolproof avenue we have available at the moment.

Download and give out your permissions with caution. Understand the risks, particularly with free apps. When an app is allowed function without location services, turn them off. Otherwise, it is a waiting game for us consumers to see when (and if) a better solution will arise.

Be sure to check out the original article from Wired for more information