Study: Anyone can track your smartphone, app activity for about $1,000

SEATTLE — Privacy concerns when it comes to apps, websites, and online advertisers have been a hot topic for smartphone consumers in recent years. While many worry about which companies are quietly acquiring personal information and keeping tabs on users’ movements, a new study finds that all anyone actually needs in order to track a person’s cellphone — is about $1,000.

Researchers at the University of Washington recently conducted a smartphone-based experiment, hoping to determine whether a budget of $1,000 would allow an ostensible ad purchaser to be privy to a given individual’s private affairs.

Person holding smartphone
It takes some work, but a new study finds that anyone can track a person’s cellphone location along with app activity and data for about $1,000.

It turns out that such a modest budget could not only be used to surreptitiously receive timely updates on one’s geographical place (e.g., a residence), but it could reveal the apps used by that individual — which would, consequently, have the potential to expose personal information, demographic data, and ideological preferences collected by the programs. Everything from dating habits to political affiliations to recent purchases could be obtained.

“Anyone from a foreign intelligence agent to a jealous spouse can pretty easily sign up with a large internet advertising company and on a fairly modest budget use these ecosystems to track another individual’s behavior,” says lead author Paul Vines, a recent doctoral graduate of the university’s school of computer science and engineering, in a university news release.

The team found they could pinpoint the location of a smartphone within 10 minutes of a person’s arrival.

The tactic discovered by the researchers involved learning a smartphone user’s mobile advertising ID (MAID), and using location-dependent ads to track that individual’s movements. That information could be picked up should a person be using an open Wi-Fi network at a local coffee shop, library, or other public arena.

A targeted individual did not have to click on an embedded ad for the campaign to be successful, although they would have to keep the app running for a requisite amount of time.

“To be very honest, I was shocked at how effective this was,” says Tadayoshi Kohno, one of the study’s co-authors. “We did this research to better understand the privacy risks with online advertising. There’s a fundamental tension that as advertisers become more capable of targeting and tracking people to deliver better ads, there’s also the opportunity for adversaries to begin exploiting that additional precision. It is important to understand both the benefits and risks with technologies.”

The researchers explain that both consumers and mobile advertising firms can take steps to curb like intrusions of privacy — the former by regularly resetting their MAIDs, and the latter by rejecting ad buys that only target a handful of individuals — but spreading awareness may take significant time and effort.

For now, a fairly effective — although not foolproof — step to take would be disabling location tracking within certain apps, the researchers suggest.

“Because it was so easy to do what we did, we believe this is an issue that the online advertising industry needs to be thinking about,” warns co-author Franzi Roesner. “We are sharing our discoveries so that advertising networks can try to detect and mitigate these types of attacks, and so that there can be a broad public discussion about how we as a society might try to prevent them.”

The study’s findings will be presented later this month at the Association for Computer Machinery’s Workshop on Privacy in the Electronic Society later this month.