The precise targeting of advertising is at the heart of the largest technology companies today. It may also be turning your phone into a potential tracking device. For about $1000, pretty much anyone, from a jealous partner to a person casing your home, can follow your movements and can gain entry to your personal information, if you help them by opening up the right app on your phone.
Researchers at the University of Washington were interested in whether individuals could, by purchasing ads, gain access to other people's private information. They found that the answer is yes, with a little help from the target.
The team would not say which apps they tested, but buying ads for popular apps like TextMe and iFunny would be likely choices. You don't even have to click on the ad — you just have to have the app that it's directed to open on your phone. As long as the ad connects with your app and you stay in the same place for about four minutes, the sender can get your location.
A burglar could use advertising-based intelligence to make sure that you're not home. Paparazzi could track celebrities.
“ …[W]e find that an individual can use the targeted advertising system to conduct physical and digital surveillance on targets that use smartphone apps with ads,” the authors write. The ads in question are hyperlocal, directed to one single person's phone, lowering their cost. And there are many companies selling these ads, enough to fit most anyone's budget.
Many different types of information are available using this technique that the authors call ADINT (advertising-based intelligence), including:
For example, a burglar could use advertising-based intelligence to make sure that you're not home. Paparazzi could track celebrities; or a lover could check up on sexual infidelity. Governments could use it to collect information on demonstrators.
The first step is finding the target phone's mobile advertising ID (MAID). This is a pseudorandom identifier to uniquely identify a particular device for advertising and works much the way Tracking Cookies are used in browsers.
What the authors tested most thoroughly was their ability to track someone on their daily commute to work. The trip started from home and continued on to a coffee shop and bus stop. This was followed by a bus ride and a walk to the office.
The researchers had the target open the app about once a minute, simulating what might happen during a text conversation.
The team, from the Paul G. Allen School of Computer Science & Engineering at the University of Washington, was able to track the target everywhere along this commute except for the bus ride and walking route. That's home, coffee shop, bus stop and office.
In the commute just described, the researchers had the target open the app about once a minute, simulating what might happen during a text conversation.
There aren't many ways you can defend against this type of attack. Disabling location tracking within individual app settings could help, the researchers say, but advertisers still may be capable of finding location data in other ways. Changing your mobile advertising ID is a good idea, at least until the person or persons who are after your information find the new ID.
The authors recommend that people concerned about these risks consider resetting their mobile advertising ID, but they think that the most effective solutions involve restrictions placed on or by the advertisers.
The paper was published at WPES 2017, the 16th Association for Computer Machinery (ACM) Workshop on Privacy in the Electronic Society.
The authors have also written a series of FAQs which explain the study and its findings in simpler terms. The FAQ includes links that will show you how to shut off your phone's mobile advertising ID (MAID) and location access to apps, both for iPhones and Android phones.