Tracking User’s Geolocation without Permission on Android

Wi-Fi probing reveals more than just individual SSIDs, which can cause discovery-based information leakage.

This is an article drawing on a lab assignment when I take the Mobile and IoT Security course at Carnegie Mellon University. Please feel free to leave comments on the article, providing your own insight and solutions to the lab.

With the growing market share and popularity of the Android platform, the number of applications that are available to users has increased significantly. While users enjoy the rich features of the apps, their sensitive personal data may be stolen by malicious apps.

This lab is dedicated to showing the ways to reveal a user’s geolocation without asking the location permission, which may be a discovery-based leakage that is rooted in the Wi-Fi’s mechanism and data association.

IP Geolocation

For IP Geolocation, we are able to get a user’s geolocation without asking for location permission. Here is how IP geolocation works. Whenever you connect to the Internet, you will get a unique identifier for you or your network, which is called IP address. The way the IP-based geolocation works is simply by checking the IP range is used by which area, using an IP-to-geolocation database.

To be more specific, IP addresses under subnets are assigned to the providers upstream of your service providers — each IP range is therefore flagged as being within the country of origin of that provider, so each IP within that range is assumed to be within that country or even the area in that country.

Most of the IP-geolocation services are maintaining the IP-to-geolocation database. The service basically forwards the query sent from users to lookup the database and returns back the result to users.

Nonetheless, the IP -based geolocation can not be 100%. Actually, they can provide little confidence in the user geolocation due to the following reasons:

1. The providers may not associate the IP subnets to the accurate area where they provide their service.
2. The providers may not actively update the association between IP subnets and area, which may cause a great deviation between a user’s real geolocation and the query result.
3. The user can connect the Internet with a virtual private network (VPN), which enables users to send and receive the data from the Internet with an additional computing device acting as a repeater.

There are multiple free services that allow us to get a user’s geolocation with IP address on the Internet. Most of them return the geolocation by simply entering the IP address to query the IP-to-geolocation database.

Wi-Fi Probing and Triangulation

This is what I have done for the lab. For Wi-Fi probing and triangulation, we associate the Wi-Fi nodes to approximate a user’s geolocation. Nevertheless, there are two restrictions for such a method: we need to grant CHANGE_WIFI_STATE permission for an Android app, and the device needs to be before Android 8.1.

The main idea behind Wi-Fi probing and triangulation is that most Wi-Fi access points stay at the same physical location after the installation. Based on this idea, if we get at least 3 Wi-Fi AP locations near a user’s location, we can definitely calculate the intersection area with a distance, which helps us narrow down the possible area of the user's geolocation. In addition, the more Wi-Fi APs nearby we scan out, the more accurate is the triangulation that narrows down the intersection area, which in turn provides stronger user’s geolocation proximity.

If we get 3 Wi-Fi APs, we can get the intersection area that the users may present at while using our app.

We can retrieve the Wi-Fi APs nearby with WifiManager APIs. As for the Wi-Fi APs geolocation information, we can query WiGLE’s database, an open-source project that maintains a database of 802.11 wireless networks with statistics, submitted by wardrivers, netstumblers, and net huggers.

Proof of Concept

The following screenshot is a visualization that tests the geolocation tracking from my living place to Stanford shopping center in Palo Alto with Wi-Fi probing and triangulation.

You may notice that sometimes I failed to record the geolocation (specifically on the way to Stanford); the reason may be the instability of connection to the Internet or the sparseness of access points along the way from the starting point to the destination.

Here is how the Android developers address such a method with the following two updates:

1. After Android 8.1, we need to grant location permission as the Android community realizes how Wi-Fi node scanning reveals a user’s geolocation and updates permission requirements for Wi-Fi scanning APIs.
2. Android OS in higher version adopts Mac Address Randomization when probing for the new network, and it may contribute to wrong geolocation triangulation with randomized mac addresses.

Therefore, we are not allowed to track a user’s geolocation by such a method if the users use an Android phone after Android 8.1.

This is the epilogue of the article. And here, I want to share an interesting story. Have you ever doubted why Google’s Geolocation API asks you to provide the Wi-Fi AP in order to increase the accuracy?

For the past few years, Google tried to take street view photos in major cities once every year to provide actual on-the-ground photos of nearly any location in the US and beyond. However, Google actually equipped its mapping vehicles with several sensors, including cameras, air pollution sensors, Wi-Fi probing sensors, saying that the mapping vehicles retrieve not only the photos of the street view but also other information. That’s the reason why it can help developers to obtain more accurate geolocation by providing the Wi-Fi AP nearby when using Google’s Geolocation API.

If you are interested in the course material, you can find out more here:

MEWS: Mobile, Embedded, and Wireless Security Group