Most active commenters
  • rpigab(3)

←back to thread

Everyone knows your location: tracking myself down through in-app ads

(timsh.org)
1957 points apokryptein | 11 comments | 02 Feb 25 17:07 UTC | HN request time: 1.461s | source | bottom
1. simonw ◴[02 Feb 25 21:19 UTC] No.42911941[source]
Anyone understand why an apparently accurate latitude/longitude showed up in one of those traces despite location services not being enabled for the app in question?
replies(4): >>42911991 #>>42911992 #>>42913482 #>>42916172 #
2. ec109685 ◴[02 Feb 25 21:23 UTC] No.42911991[source]
A previous request maybe mapped their IP back to the geo, and that data was used subsequently, maybe?
3. withinboredom ◴[02 Feb 25 21:23 UTC] No.42911992[source]
Probably Mozilla location services (which I happily block) which does pretty accurate passive location tracking.
4. ActorNightly ◴[03 Feb 25 00:36 UTC] No.42913482[source]
Phones send out probe requests to get a list of open wifis. If you have a static access point, with a known geo location, software can be running on that point to remember a mac address of the phone from a probe and store it. Thus enabling real time tracking.

Im like 60% sure this is how they figured out who the Bomber was in Austin TX.

replies(2): >>42920034 #>>42945935 #
5. rollulus ◴[03 Feb 25 08:37 UTC] No.42916172[source]
Thanks for asking. Came here to ask since I was curious about this too. I don't find any of the replies here convincing:

- List of open wifis: AFAIK, and in my experience, apps need special permissions to do anything at the wifi level. And yes, iOS location services use wifi info but it's disabled, that's the point;

- IP back to geo: then why not send the IP itself directly?

- Mozilla location services: same as above, why not send the info you send to Mozilla directly to the data harvester which can call Mozilla itself?

6. rpigab ◴[03 Feb 25 16:39 UTC] No.42920034[source]
This is also why some Chinese apps put everything inside a single app and request every permission there is, then track you through Wifi SSIDs seen by your device.
replies(1): >>42927113 #
7. megous ◴[04 Feb 25 02:50 UTC] No.42927113{3}[source]
Almost no mobile apps need to know the mac addresses of anything, let alone SSID/BSSID. Why would OS give this info up to some app?
replies(1): >>42930723 #
8. rpigab ◴[04 Feb 25 10:41 UTC] No.42930723{4}[source]
Apps that have to link hardware via Wifi sometimes do, they take complete control over wifi in order to create a wireless access point and make the device connect to it during setup. I think Nikon camera remote control does this, also Meta Horizon, with Meta Quest VR headset, IIRC.

There's also Wifi ranging feature, but it shouldn't need to expose SSIDs to the app, I don't know the API, it should be limited to giving a precise location:

https://www.androidheadlines.com/2024/11/android-15-wi-fi-ra...

replies(1): >>42935510 #
9. megous ◴[04 Feb 25 17:20 UTC] No.42935510{5}[source]
That sounds like something that's also not that risky. Short lived, temporary access point with randomized BSSID/mac address should not be useful for long term tracking if done well.
replies(1): >>42945724 #
10. rpigab ◴[05 Feb 25 08:39 UTC] No.42945724{6}[source]
It is not, if the developer only does what is expected. I believe when you have to perform this, the Android authorization asked to the user is complete control over the network adapter settings.
11. rgovostes ◴[05 Feb 25 09:05 UTC] No.42945935[source]
Not entirely... "Apple platforms use a randomized Media Access Control address (MAC address) when performing Wi-Fi scans when not associated with a Wi-Fi network." https://support.apple.com/guide/security/privacy-features-co...