Mobile applications that request location access may inadvertently reveal considerable private information about users, including their activities, environment, and even the structure of their immediate surroundings. This finding comes from a troubling study conducted by researchers at the Indian Institute of Technology (IIT) Delhi, published in the journal ACM Transactions on Sensor Networks. The research focused on AndroCon, the first system to showcase that the detailed GPS data available to Android applications with precise location permissions can function as a covert sensor.
AndroCon demonstrated the ability to analyze nine low-level GPS parameters—such as Doppler shift, signal power, and multipath interference—to determine whether an individual is sitting, standing, or lying down, or if they are in a metro, on a flight, in a park, or in a busy outdoor area. The study also highlighted the capability to discern whether a room is crowded or empty, as explained by the researchers led by Soham Nag, an M. Tech. student at the Centre of Excellence in Cyber Systems and Information Assurance at IIT Delhi. By integrating classical signal processing with contemporary machine learning techniques, the team was able to convert noisy raw data into valuable insights.
“Over the course of a year-long study encompassing 40,000 sq. km and various smartphones, AndroCon achieved nearly 99 percent accuracy in surrounding detection and over 87 percent in identifying human activities, including subtle gestures like hand-waving near the device,” stated Prof. Smruti R. Sarangi from the Computer Science and Engineering Department at IIT Delhi. The framework also has the potential to create indoor floor maps—identifying rooms, staircases, and elevators—with an error margin of less than 4 meters, relying solely on GPS patterns and user movements. While AndroCon represents exciting advancements for context-aware and privacy-conscious smart services, it also uncovers a significant security vulnerability.
Any Android application with precise location access could potentially extract sensitive contextual information without the user’s explicit consent. “This study unveils an overlooked aspect of GPS: a potent yet discreet channel capable of sensing the surrounding environment. AndroCon transforms a standard smartphone into an unexpectedly accurate scientific tool, serving as a reminder that even well-known technologies can harbor hidden risks that may be exploited by malicious actors,” Sarangi concluded.