Android Leaks Location Data Via Wi-Fi

Bismillah writes: The Preferred Network Offload feature in Android extends battery life, but it also leaks location data, according to the Electronic Frontier Foundation. What's more, the same flaw is found in Apple OS X and Windows 7. "This location history comes in the form of the names of wireless networks your phone has previously connected to. These frequently identify places you've been, including homes ('Tom’s Wi-Fi'), workplaces ('Company XYZ office net'), churches and political offices ('County Party HQ'), small businesses ('Toulouse Lautrec's house of ill-repute'), and travel destinations ('Tehran Airport wifi'). This data is arguably more dangerous than that leaked in previous location data scandals because it clearly denotes in human language places that you've spent enough time to use the Wi-Fi."

Wrong title

[crashumbc]

Should be popular SMART PHONES leak WiFi data.

Sensationalist bullshit

Re:Wrong title

Academics have studied and quantified this problem a decade ago. Here's a paper from 2007.

We're just noticing it now since everyone has a smart phone. Funny how slow it takes for well known technology problems to come into popular consciousness sometimes.

Re:Wrong title

Popular huh, then good to know my Blackberry 10 device is not affected!

Not just Android

[AmiMoJo]

The sensational headline fails to mention that most operating systems, including OSX and Windows, are affect. In fact most wifi devices are and we have known about this problem since the early days of wifi.

I wish I had the time to mod the shit down before it hit the front page.

Re:Not just Android

[jrumney]

The headline also fails to mention that only manually configured networks are affected (or perhaps old versions of Android, I don't remember the details from the comments to the story about 6 months ago regarding the exact same "flaw" in iOS). This is why it is a BAD idea for security to turn off access point beacons - because if your access point is not sending out beacons to identify itself, then the clients need to send out connection requests blindly - wherever they are.

Re:Not just Android

Would be sweet if everybody stopped using "hidden" wifi. Since that needs this continuous broadcasting of the name by the clients.

Re:Not just Android

[Charliemopps]

The headline also fails to mention that only manually configured networks are affected (or perhaps old versions of Android, I don't remember the details from the comments to the story about 6 months ago regarding the exact same "flaw" in iOS). This is why it is a BAD idea for security to turn off access point beacons - because if your access point is not sending out beacons to identify itself, then the clients need to send out connection requests blindly - wherever they are.

That's only if the name is revealing. I called my "The NSA" so people that connect to it are broadcasting that everywhere. I have one neighbor that for some insane reason named his after his address. 123 Johnson road

Re:Not just Android

[Nutria]

I called my "The NSA"

How clever you must feel for sticking to The Man.

for some insane reason named his after his address.

Why is that insane?

Re:Not just Android

How clever you must feel for sticking to The Man.

Why so hostile?

Re:Not just Android

Why is that insane?

The clue's in the summary. You don't even have to read the article! It means that when the neighbour is out and about people know his address just by sniffing the traffic coming from his phone.

Re:Not just Android

[Electricity+Likes+Me]

That's not sticking to the man. That's making the hysterical NSA alarmists go nuts. So, quite the opposite.

Re:Not just Android

The headline also fails to mention that this particular bug is only being talked about because Google is submitting a patch to fix the issue.

Re:Not just Android

[jones_supa]

I have one neighbor that for some insane reason named his after his address. 123 Johnson road

He is just politely revealing who is the owner of the station. In this way it can also be seen as a responsible thing. If that particular station is causing some kind of problems to others, it is easy to contact the owner to discuss about it.

Re:Not just Android

[I'm+New+Around+Here]

for some insane reason named his after his address.

Why is that insane?

I don't know why either. My wifi is named after my wife's place of origin.

NABOO.

That's why we call our daughter Princess.

Re:Not just Android

[Dixie_Flatline]

It's marginally more relevant that Android does it. There are a lot more Android devices than portable Windows and OS X devices that actually move around. (That is, not even the full population of laptops is necessarily being moved from hotspot to hotspot; I know plenty of people that have laptops that stay at home and are just for portability around the house.)

Anyway, the headline is reasonably sensational, but not false, and the summary clarifies. I've seen a lot worse (bad headlines, worse summaries; etc.) pretty much everywhere that ever posts a headline.

Re:Not just Android

[itzly]

I have one neighbor that for some insane reason named his after his address. 123 Johnson road

Even worse, I have a neighbor who has his house number plainly visible right next to his front door, and the name of the street is clearly marked at the intersection. Total nutcase, if you ask me. Anybody who knows his address can just go and visit him.

Re:Not just Android

[yacc143]

It's insane because it distributes data that is unnecessary.

Depending upon how "hackable" the WLAN is, if an unauthorized person accesses it, it gives the first clue what to enter in all these address boxes online.

Ok, somebody mentioned being able to contact the responsible person if there is an issue. Now that kind of presumes that the typical operator of a home wifi spot knows how to fix the issue or even can fix the issue (it's incredible what kind of trash is being sold nowadays as a wifi router, and in some cases it's the ISP that provides you the router. These are usually even trashier than what users buy on their own).

Re:Not just Android

Do you wear a name tag with your address on it in public? Would you consider that a good idea? Same thing.

Re:Not just Android

[itzly]

Of course, with a directional antenna, it's pretty easy to find the street address of an access point.

Re:Not just Android

[Nutria]

Or with the signal bars and a bit of driving.

Re:Not just Android

[Imrik]

Well, not my address but the address of where I work. Also, it's called a security badge, not a name tag.

Re: Not just Android

They probably also have a mailbox outside their house that is TOTALLY UNSECURED.

Re:Not just Android

[penguinoid]

The sensational headline fails to mention that most operating systems, including OSX and Windows, are affected.

Since when is it sensationalist to understate the situation? I think the word you're looking for is "provocative", since most of the readers are android users.

Re: Not just Android

I'll bet tsomeone that stupid also has his house number affixed to his house in plain view.

Re: Not just Android

[Em+Adespoton]

To be a decent analogy, they'd need it affixed to something mobile, like their car, as well as to their house.

The point here is that the CLIENTS start broadcasting the string whenever they're not connected to Wifi. So his phone/laptop will be advertising where their owner lives whenever he's away from home with them.

If you still don't get it, it's like everyone in his family wearing a T-shirt that says "My home address is 123 Johnson Rd -- and if you're reading this, I'm probably not at home".

It makes burglary easy, and stalking as well.

Re:Not just Android

[SirJorgelOfBorgel]

Unfortunately, that just isn't true. The affected Android devices leak all known networks, not just the manually configured ones. Go ahead and test it.

Re:Not just Android

[SirJorgelOfBorgel]

Irrelevant - the issue on Android is not limited to hidden networks.

Re:Not just Android

[the_B0fh]

Are you really equating giving your work address and your home address out as the same thing?

Re: Not just Android

[the_B0fh]

Why does it take this much effort to explain to idiots why this is a bad idea?

Re: Not just Android

[philip.mather5551]

Having the name, logo, colors or even font branding (let alone address) of the company on a security pass is a complete fail. If you drop it and a bad person picks it up they can then tell where it will get them access to, this is catastrophic if it's RFID swipe pass for barriers/doors. The only marking that should be present on a security pass is a photo, no name, no barcodes, nothing but a color photo of the owner. Lanyards may, in low security applications be color coded to some function or other (temp, contractor or perm employee for example) but not relied upon.

Re: Not just Android

[stephanruby]

If you still don't get it, it's like everyone in his family wearing a T-shirt that says "My home address is 123 Johnson Rd -- and if you're reading this, I'm probably not at home".

You're making two assumptions here:
1. That everyone with a laptop lives alone. I don't, you insensitive clod. I live with my mother.
2. That everyone with a laptop lives at the actual location being broadcasted. For all you know, I could just have visited that location.
If you're worried about theft and stalking, you should be much more concerned about neighborhood/employer/school-required parking stickers. With these, one can easily guess the approximate locations where your car parks, and therefore where you might actually live/work/study (since those actually require a formal verification before being issued).

Re:Not just Android

[sumdumass]

Or with just the name of the ssid broadcast and a general geographic area.

You can use sites like wigle to search it out. If enough entries are put in, it prety much accurately trianglstes the location on the map. It has my old neiborhood down to withing a few feet of the apartments. A signal meter on a smart phone should get you to the front door.

I know of at least one reverse hacking incident (the hacker got hacked by its target while trying to penetrate a network) where the hacker was tracked down by reading the ssids availible on the wireless network and using a site like that to pinpoint a location.

Re:Not just Android

The headline also fails to mention that only manually configured networks are affected

Scans originating from wpa_supplicant running on the host only show scan_ssid=1 (manually configured) networks. The PNO scans affect all SSIDs. See posts #24-25:

http://forum.xda-developers.co...

Re:Not just Android

The sensationalist reply fails to mention how the main competing mobile operating system, iOS, are not affect.

Re: Not just Android

[exomondo]

If you still don't get it, it's like everyone in his family wearing a T-shirt that says "My home address is 123 Johnson Rd -- and if you're reading this, I'm probably not at home".

It makes burglary easy, and stalking as well.

No, not it isn't, it's saying "a phone in the vicinity has at some point connected to a network named 123 Johnson Rd which may or may not exist at that address". Even if it did exist at that address how does that make burglary easy? Tell me what your scenario is that makes this so much easier than just staking out a house until a person leaves.

The Axis of Evil aka. Big Brother aka. Five Eyes

say thanks. It's 2014 and engineers are still designing protocols like we're all friends who respect each others' privacy.

Noticed this before

[HalAtWork]

I've noticed this before but haven't been able to figure out how to delete it. I guess it has to do with the device searching for stored WiFi networks to establish a connection? Still annoying. According to the article, if you connect to hidden networks then you won't be able to get around this, unfortunately that's almost all the networks I connect to. Couldn't it just do a scan of nearby networks and look up the MAC address of the hidden networks, and, on a match, then try to establish a connection?

Re:Noticed this before

[jrumney]

Its the scan of nearby networks bit where it needs to send out the WiFi networks it wants to connect to. That's why making your SSID hidden is a security anti-pattern. Tell the owners of the networks you connect to to stop doing it - anyone nearby can see all the clients making requests to join your network, so it isn't adding any security in your near vicinity, and elsewhere, others can still see your clients trying to connect to your network wherever they are, because to connect to hidden networks you have to go out and proactively look for them.

Re: Noticed this before

[Splab]

Most devices are broadcasting known ssid regardless of the ap being hidden, there is quite an industry around sniffing this data.

Re:Noticed this before

[I'm+New+Around+Here]

Does is matter if the connection has encryption enabled? Or is the first exchange un-encrypted anyway?

Re:Noticed this before

Encrypted networks also transmit the SSID in the clear in management frames. A "hidden" network only removes the SSID from the beacon frames. Disabling "SSID broadcasts" will cause clients to broadcast the SSID in search of the network wherever they go. That is not news (although the clients could arguably be a little more clever about this). The news is that Android actively searches for networks which are not hidden and which could easily be found by passive listening.

Enough time to connect to Wi-Fi

[geogob]

"[...] because it clearly denotes in human language places that you've spent enough time to use the Wi-Fi."

I though driving by an open hotspot on the highway was enough time to use it. At least they would know on which Highway I drove.

Re:Enough time to connect to Wi-Fi

[jrumney]

I though driving by an open hotspot on the highway was enough time to use it.

Only with 802.11p which allows data transfer without associating to the access point, and maybe the still under development 802.11ai, which aims to speed up the time required for association to under 100ms.

Except iOS after version 5 apparently

[glennrrr]

Also according to the article. Somehow iOS manages to have reasonable Wi-fi battery power without using this trick.

Re: Except iOS after version 5 apparently

[Splab]

iOS is still happily twirping your data, hence the mac change in iOS 8.

Re: Except iOS after version 5 apparently

[tlhIngan]

iOS is still happily twirping your data, hence the mac change in iOS 8.

No, that's solving a different problem, namely one of tracking. In sending probe frames (to find out what accesspoints are around) it uses a random MAC address in order to foil those MAC address sniffers they plant in malls and stores that are used to track people as they wander around.

FYI - Android does not have this feature (yet).

Re: Except iOS after version 5 apparently

> FYI - Android does not have this feature (yet).

Pry-Fi will do it, on a rooted phone.

Plainly stupid

How can this sensational headline make into slashdot home page?

Um, no, it doesn't

[theoriginalturtle]

No, it doesn't "show you've spent enough time to use the wifi." For fun, grab an Android app called WifiCollector. On a 200-mile drive through three Eastern states a few weeks ago, it sniffed out over a thousand WAPs (most of them not open). Anyone using that to imply I was actually at any of those locations long enough to use the wifi is probably just about smart enough to work in a government intelligence job.

Re:Um, no, it doesn't

Erm... it's not that. It is based on what wifi you have connected to, especially those that are configured with hidden SSID. Because it does not know whether the hidden SSID is there or not, it will attempt to connect to each of these.

What urks me is that this is not limited to Android. It is a "feature" of any wifi-capable device.

Re:Um, no, it doesn't

Urks = irks

Re:Um, no, it doesn't

[TheRealHocusLocus]

Urks = irks

We are the fighting Uruk-hai!
We slew the great warrior.
We took the prisoners.
We are the servants of Saruman the Wise, the White Hand:
the Hand that gives us man's-flesh to eat.
We came out of Isengard, and led you here,
and we shall lead you back by the way we choose.
I am Uglúk. I have spoken.

Default behavior, it's in the spec.

This is primarily to be able to access "hidden networks" (hidden SSIDs) - they are called Probe Request packets.

Although it is intended behavior and people who are aware of it can mitigate the problem, it is still very unknown to the general public, and I believe the behavior should be different. Fo sho.

Re:Default behavior, it's in the spec.

[yacc143]

Well, auto connect for encryption less wifis is a clear way to get MITM attacked.

But even with encryption the way Wifi work your device will broadcast all networks it tries to autoconnect. An most mobile devices that's equal to "known networks".

Laptops too?

[Lawrence_Bird]

So basically it sounds like anything using the wpa_supplicant code may do this? I can understand why it may be necessary for a hidden network, don't understand why the connecting party would ever transmit anything about past connections for public networks. Isn't SSID included in the beacon every 100ms or so?

Re:Laptops too?

[itzly]

In order to receive the beacons you would have to keep the receiver powered up for longer times, wasting battery.

Re:Laptops too?

Beacons are sent once every 100ms, i.e. 10 per second, by default. You don't have to have the receiver on for long, and sending uses much more power than receiving (you still have to do this on all channels and then listen for the response on each channel, so you're not even gaining anything there.)

Re:Laptops too?

[itzly]

100ms is the default, but longer periods are possible. And while the transmitter may take 5x as much power, it only needs to be on for 1 ms, so you're still saving power. The reply should come almost immediately (only microseconds of gap), so the receiver only needs to be on for a very short time, assuming there's no response.

Re:Laptops too?

[SirJorgelOfBorgel]

PNO is implemented in the Wi-Fi firmware, and generally only active if the main device CPU is asleep.

wpa_supplicant tells the Wi-Fi firmware which networks it is interested in, then when the main CPU sleeps, the Wi-Fi chip keeps scanning for those networks periodically, which takes less power than waking the main CPU periodically to do this. In PNO's scanning process, it broadcasts all the names. There's no technical reason this is needed aside from hidden SSIDs (and indeed non-PNO wpa_supplicant scans don't do this either). The PNO feature however doesn't make that distinction and broadcasts all the names instead of the hidden ones. From the sources I've read, it seems there's no way to tell the firmware to make a distinction between active (for hidden) and passive (for non-hidden) SSIDs.

So yes, in effect, anything based on wpa_supplicant and PNO may do this. However, this is not wpa_supplicant's fault per se, rather PNO's. I don't think my laptop bothers scanning for Wi-Fi networks when it's sleeping at all, or even supports PNO, but your mileage may vary on that. There's no rule saying PNO can only be used when the main CPU is asleep either, though that is what's built for. Your software could be using it all the time (unlikely, but possible).

Not the whole story..

The leaking of location data isn't even the whole story.

Vice did a decent documentary on this recently. See: https://www.youtube.com/watch?v=dysnKiXUlRU

Your phone will, by default, try to connect to a Wifi hotspot when it's in range. When it's previously connected to, and remembered an open Wifi network, it creates a security risk. It seems like what they're doing is probing for specific APs, rather than (or as well as) doing a channel scan without specifying the SSID (presumably for reasons of efficiency, thus saving battery life). This allows an in-range malicious user to listen for these probe requests, and then automatically spin up a Wifi hotspot with the same SSID as one of those open networks. Once you're connected, they can intercept any encrypted traffic, and perform MIM attacks. Scary stuff.

Re:Not the whole story..

Sorry, I meant to say unencrypted.

secret agent reporting in

[starsky51]

ok control, we've discovered that the suspect is called, or knows someone called, 'Tom', and that he once visited a McDonald's... maybe.

Why mention Android in the title?

[Threni]

"What's more, the same flaw is found in Apple OS X and Windows 7."

Clickbait, maybe?

Duh!

[pcjunky]

I think we kind of figured this already.

Just how is my phone "leaking" this information. I you get my phone then you may know where I have been but I am not going to give you my phone if I want to conceal this information.

Re:Duh!

[itzly]

The phone is broadcasting it over wifi.

Re:OMFG WHO IS SURPRISED BY THIS????

[Narcocide]

Wait... am I to determine by this rating that you WERE all surprised by this???!

Free Wifi

[AndyCanfield]

Here in Thailand / Laos I have recently seen massage parlor signs advertising "Free Wifi". You get in a room with a beautiful lady and she rubs her hands all over your body. Why would you want to check your e-mail? And certainly you would not "Exotic Massage" to show up in your wifi list. But remember that phones are like that. I manually checked my wife's call history to see if she had telephoned my girlfriend.

Re:Free Wifi

[tepples]

If by "wifi list" you mean the list of known SSIDs on a device, that can be solved by using your device's user switching and making some SSIDs private to one user. Unfortunately, Android doesn't seem to implement multi-user for devices with screens smaller than 7 inches, and I don't know whether known SSIDs are user-specific or system-wide.

If by "wifi list" you mean the topic of the article (a list collected by someone listening for probe requests for hidden SSIDs), an SSID will appear only if 1. it has a hidden SSID, and 2. your device sends probe requests automatically instead of manually, and 3. your device doesn't use cellular or GPS location to determine which SSIDs' probe requests to send.

Re:Free Wifi

If by "wife" you mean... awwnevermind.

Re:Free Wifi

Thanks for the idea. From now on, my mobile hotspot will be "Exotic Massage"

Re:Free Wifi

On busy nights the wait time can be a little long so I like to update my apps until my number is called.

Re:The Axis of Evil aka. Big Brother aka. Five Eye

[Nutria]

Except that this protocol was designed long ago.

Why does it broadcast *all* SSIDs?

[Nutria]

If this is for looking up hidden SSIDs, then why not ping looking for know-hidden SSIDs?

Re:Why does it broadcast *all* SSIDs?

[T-ice]

Because it's easier to De-auth 1 visible connected client, and listen to the probe requests as it tries to reconnect. I believe that's called SSID decloaking, or something like that. There are enough of the right tools to be able to do this automagically while driving down the road with a laptop and a gps dongle. If there isn't a tool that does all the magic, I'm know that a mix of them could easily make all the necessary output that could be put together after a 2 hour drive through town. People still make wardriving tools. But we have so much wifi now that most would be wardrivers don't make it past the driveway. Long story short, it's even easier than that.

Re:OMFG WHO IS SURPRISED BY THIS????

Why do people such as yourself call others "sheep"? Is it because the matrix is true and you are one of the few who took the correct coloured pill?

Does it make you seem superior to others that you are not a "sheep" yet somehow they are?

How to turn it off

On rooted Android, one can configure wpa_supplicant to _not_ "scan_ssid" globally but individually, for the hidden APs. Also, one can set the "bssid" of the access points he connects to. There was a need for a better interface a while ago...

Re:The Axis of Evil aka. Big Brother aka. Five Eye

That doesn't invalidate the point. Besides, the feature which leaks the information is relatively new, and it leaks more information than necessary, even when following the old protocol (as evidenced by a bugfix which stops Android from broadcasting SSIDs of networks which aren't "hidden".)

Droid does what iDon't: SSID spotting

[tepples]

For fun, grab an Android app called WifiCollector.

Or MozStumbler, from the makers of Firefox.

But if you're looking for something similar on iOS, you won't find anything on the App Store because there's no public API to log seen SSIDs on iOS. Instead of making a public API, Apple instead just decided to blacklist the entire category of applications in March 2010.

Churches provide free WIFI now?

Churches provide free WiFi now? So you have something to do during the sermon?

Probe requests should be manual

[tepples]

For the sake of the user's privacy, operating systems need to default to manually sending probe requests. If that isn't convenient enough, and the device has cellular or GPS sensors, then when the user turns on Wi-Fi, the device could briefly turn on cellular and GPS radios and trilaterate nearby towers and satellites in order to determine which SSID's probe request to send.

Re: Probe requests should be manual

[cbiltcliffe]

So, your solution to leaking location data by WiFi is to automatically turn on the potentially even more intrusive GPS locator?

Re: Probe requests should be manual

[tepples]

The article is about eavesdropping on probe requests that a device sends. In my proposal, a device would first listen for signals from GPS satellites to narrow the list of hidden SSIDs before determining which probe requests to send. Could you explain how using a GPS receiver to narrow down these probe requests would be "potentially even more intrusive"?

Re: Probe requests should be manual

GPS is completely passive (unless you use AGPS, but even then it doesn't leak a lot of information). You can use GPS without any network connection, and nobody will know. If you record and leak location information, that is not particular to GPS and can only be avoided by not using any location service at all.

Re: Probe requests should be manual

[cbiltcliffe]

The article is about eavesdropping on probe requests that a device sends. In my proposal, a device would first listen for signals from GPS satellites to narrow the list of hidden SSIDs before determining which probe requests to send. Could you explain how using a GPS receiver to narrow down these probe requests would be "potentially even more intrusive"?

Because way too many programs on Android request fine location permission. Yes, this is a problem with the programs themselves, but that's why I said "potentially." However, every time your phone turned on the GPS momentarily to determine location and therefore which probes to send, any or all of these programs, if installed, would be able to snag your exact location, and send it off to the developer on the next network connection.

Re: Probe requests should be manual

[cbiltcliffe]

GPS is completely passive (unless you use AGPS, but even then it doesn't leak a lot of information).

I know that.

You can use GPS without any network connection, and nobody will know.

This thread/discussion is about using GPS to figure out which network connection(s) to look for and connect to, so this statement, while true, is not even remotely applicable to the topic.

If you record and leak location information, that is not particular to GPS and can only be avoided by not using any location service at all.

Also true. However, most people have apps installed on their Android phone. Too many Android apps request fine location permission for no legitimate reason. I assume a lot of the free ones that display ads want location so they only display ads for brick and mortar businesses that are geographically relevant. Even for this, though, the coarse, network-based location service would be much more accurate than necessary.

See my response to your sibling post, as well.

This assumes ...

[PPH]

... that the names assigned to WiFi access points have any relationship to reality. Where I'm sitting, I can see 'MoeBalls', 'Hide Yo Kids, Hide Yo WiFi', 'Mac', 'Get off my LAN', 'It Hurts When IP', 'Bala Yoga', .....

Re:This assumes ...

[msauve]

This assumes that the names assigned to WiFi access points have any relationship to reality.

Do you get your coffee from the Urban Coffee Lounge or the Starbucks before going to Juanita Beach Park, there in Kirkland, WA?

Nope, no relation to reality whatsoever.

Re:This assumes ...

[PPH]

Oops. Didn't think Bala Yoga was a unique location. However, given the list without that, I wonder how well WiFi based location would work. That is: in either a residential neigborhood or near a Starbucks (which all have one of a few common AP names).

Re:This assumes ...

[msauve]

MoeBalls is more unique. But if you have enough SSIDs, the intersection of them can give a unique location even if each individual one can be found in many locations.

Google already snoops on Android locations for Ads

[recoiledsnake]

They actually track which stores you visit to monetize ads. If you opt out then a lot of things including Google Now stop working.

http://digiday.com/platforms/g...

They even do the same thing on iOS if you use Gmail, Chrome or Google Now apps.

It is easiest for Google to conduct this passive location tracking on Android users, since Google has embedded location tracking into the software. Once Android users opt in to location services, Google starts collecting their location data as continuously as technologically possible. (Its ability to do so is dependent on cell tower or Wi-Fi signal strength.)

Android is currently the leading mobile OS in the U.S. with a 45.9 percent market share in 2013, according to eMarketer. A little more than a fifth (20.3 percent) of the U.S. population uses Android smartphones.

But Google can also constantly track the location of iPhone users by way of Google apps for iOS, Apple’s mobile operating system. IOS is just behind Android in U.S. market share with 38.3 percent of users, per eMarketer. Nearly 17 percent of the American populace uses an iOS smartphone.

When an iPhone user stops using an app, it continues running “in the background.” The user might not realize it, but the app continues working, much in the same way tabs function on a Web browser.

Google’s namesake iOS app — commonly referred to as Google mobile search — continues collecting a user’s location information when it runs in the background. This information is then used to determine if that user visited a store and whether that store visit can be attributed to a search conducted in the app. Store visits can also be tracked via Google’s other iOS apps that use location services. If iOS users open their Chrome, Gmail or Google Maps app in a store, their location can be deemed a store visit.

And they recently stopped snooping on the free Google Apps and email for Schools and even businesses after doing it for a long time to build ad profiles after they didn't dare telling the same lies in federal court that they were telling to the public about snooping on students to show ads.

http://www.edweek.org/ew/artic...

http://www.edweek.org/ew/artic...

But hey, it's Google so they get a free pass here while if MS did anything even close to that people would be shouting from rooftops.

This is old

[Jorl17]

This is _really_ old news. I've been to two or three talks about this. How can anyone still be surprised?

Re:This is old

[canadiannomad]

How can anyone still be surprised?

Because they are one of the lucky 10000...

App to fix this - Pry-Fi

[Kernel+Kurtz]

Got this from a previous discussion on /.

http://forum.xda-developers.co...

Re:OMFG WHO IS SURPRISED BY THIS????

Perhaps the true sheep are the ones who go around spouting the sheep meme all the time

Re:Google already snoops on Android locations for

Except APL does it too. They just don't advertise it and bury it in the EULA.

Remember, not only are you buying a product, you are also a product when you buy i-things! (haven't you noticed all in-app ads are funneled through just one service?)

I've wrote a tool to exploit this.

I wrote stuff to do this, but to aid in the capture of criminals. This kind of tool is extremely valuable to bounty hunters (professionals and not the assholes kicking down random doors like their cowboys).

Captcha: dictator seems fitting.

Re: I've wrote a tool to exploit this.

Then you also wrote a tool for the harassment and persecution of the innocent. Anything that CAN be misused WILL be misused. Especially if you get it anywhere near law enforcement and those close to them.

Headline Whore Much Soulskill/Dice Holdings ?

[hduff]

What's more, the same flaw is found in Apple OS X and Windows 7.

So why only"Android' in the headline? Why not use "Smartphones"?

Re:Headline Whore Much Soulskill/Dice Holdings ?

[Jabrwock]

Because OS X and Windows 7 aren't mobile OSs? The article does address that, and states that it doesn't believe the risk to laptop users to be worth more than a mention, because laptops are generally powered down when moving around, unlike smartphones that keep scanning.

Re:Google already snoops on Android locations for

[Em+Adespoton]

But hey, it's Google so they get a free pass here while if MS did anything even close to that people would be shouting from rooftops.

That's because MS has been convicted in court of abusing this power. So far, Google appears to have stayed within the law in how it uses this data.

Except that's not true: Google's got into plenty of trouble for grabbing too much data, then not deleting that data when ordered to by the court.

I think you'll find that Google is well on its way to becoming the new MS -- and not just in the market sense. People ARE starting to grumble, and avoid using Google services for some things.

Re:Google already snoops on Android locations for

[the_B0fh]

You obviously have evidence for this?

Mitigation would be easy...

[niftymitch]

It is possible on an unlocked device to spoof this data by
collecting data from other phones in passing or from a
mesh of friends that pull data from their device and share
it with others.

i.e. should my WiFi device hear such a broadcast.
It could save parts of it, format those and insert the data
randomly into the list of devices my device appears to know about.

After anyone publishes enough to prove the possibility
then the information can no longer be used with impunity against
an individual because data stamps could be changed and
data inserted.... by a third party.

As we know from Snowden papers, TLAs do exploit flaws
and coerce vendors to insert and unlock side doors in devices .
Further all such activity is classified so any jury can
now be presented with reasonable doubt that the evidence
of this type on a phone or laptop has any validity.

Scan recent history for "surveillance equipment is known as a Stingray, an innovative way
for law enforcement to track cellphones used by suspects and gather evidence.
The equipment tricks cellphones into identifying some of their owners’ account information,..."
(theblaze.com)

I am reminded of a plugin to firefox that did much the same thing by randomly
making HTTP connections hither and yon triggered by a chain of "interesting" words.
The intent was to pollute the search history etc.... again to add uncertainty
that the individual was doing anything "of interest" to the prosecution.

On occasion I still fire it up from time to time not because I wish to hide anything I did but because
I wish to protect myself from those that would hide stuff on my system via tricks like
a 1x1 pixel display of a high resolution image download or mouse over abusive
use of JavaScript or modern HTML5 canvases and many many more abusive things.

You would smother the news...

Because it isn't news to you?

Wow, under your dictatorship what enlightenment we'd be able to expect!

That's not location data

[EmagGeek]

The data described as being leaked is not location data. It is the names of SSIDs to which the device has connected before.

Just sayin

Re:Google already snoops on Android locations for

[cavreader]

"Google is well on its way to becoming the new MS "

Google has already become just like MS and Apple. They all rank at the top of the most successful companies in the world. These companies have been an integral part of the PC and Internet technical revolution. A revolution that has changed the world of communications and commerce. You can question some of their methods but you should try and balance the good and bad when forming your opinions on their "evilness". None of these companies have ever claimed to be philanthropic organizations.

Re:OMFG WHO IS SURPRISED BY THIS????

[bkcallahan]

I always thought they carried Bibles...

Re:Google already snoops on Android locations for

[douglas.w.goodall300]

I believe you are referring to the wi-fi data picked up promiscuously by Google fleet of camera vehicles while taking street view pictures. Their excuses about that were pretty thin as I remember.

Re:Google already snoops on Android locations for

[Plumpaquatsch]

I believe you are referring to the wi-fi data picked up promiscuously by Google fleet of camera vehicles while taking street view pictures. Their excuses about that were pretty thin as I remember.

Not as thin as their excuses for not deleting all of it. After saying they had deleted it.

Don't Worry About Leaking Data Anymore

[rowyn_vanm]

Whether it be location data, or just important information, IONU's app ensures that you no longer have to worry about your data being leaked to anyone but the recipient. IONU's encrypted messaging service provides the privacy and security that is becoming vital in this day and age. Download the app here: https://ionu.com/download