| The rapid development of Information Communications Technology(ICT)has digitalized people's mobility traces for the first time in human history.Nowadays,with GPS equipped mobile devices,such as smartphones and tablets,users can directly share their locations through various social network platforms.Meanwhile,many apps,such as Facebook,Twitter and WeChat,resided in a mobile device ask the users to grant them the access to their location data.Multiple parties can benefit from the large-scale mobility data:industry can use the data to build appealing applications,such as location recommendation systems;academia can use the data to gain a deeper understanding of many fundamental questions in the society,such as epidemiology.While bringing a lot of benefits,location data also raises severe threat to people's privacy.Some authors have pointed out that location is the most sensitive data being collected from each individual.Several studies show that knowing the locations users have visited can leak their attributes,and social relations.In addition,being able to infer/track a user's location allows an adversary to stalk the user.In particular,the privacy threat is severe for users of certain mobile apps whose functionality heavily relies on location information,such as Tinder,Skout and Whisper.To mitigate the privacy threat,many location-based mobile apps have taken countermeasures.The most common approach is only displaying the distance between two users,instead of showing their exact locations(geo-coordinates).For instance,a Whisper user can only know how far away a certain user is from him.However,the authors have shown that by simply modifying Whisper's APIs,a user's location can be inferred through triangulation.However,all these previous works have studied the location vulnerability of only one or a few apps.To fully assess the location privacy threat,a large-scale study on most of the popular apps is necessary.We propose a series of testing mechanisms,including UI match and API analysis to automatically evaluate a certain social app on location privacy leakage.We have crawled the top 800 social apps from Google Play(500)and Wandoujia(300).109 of them have passed the automatic testing.We discover that 24.7%of these apps are vulnerable to AWDL while 11.0%of them leak users' locations with AWODL.Moreover,some apps even allow users to modify the original apps to send crafted requests,which means the database could be disclosed by web API misuse.In addition,we identified 5 apps which directly expose the exact geo-coordinates of the potential victims.We perform simulations to demonstrate our location inference attacks.Experiments conducted mainly in Beijing and New York on three apps,Feeling,SKOUT and Blued,show that three location queries can track more than 90%users.The continuous location attack can get the victim's activity track. |
PDF Full Text Request