Anyone understand why an apparently accurate latitude/longitude showed up in one of those traces despite location services not being enabled for the app in question?
Phones send out probe requests to get a list of open wifis. If you have a static access point, with a known geo location, software can be running on that point to remember a mac address of the phone from a probe and store it. Thus enabling real time tracking.
Im like 60% sure this is how they figured out who the Bomber was in Austin TX.
This is also why some Chinese apps put everything inside a single app and request every permission there is, then track you through Wifi SSIDs seen by your device.
Apps that have to link hardware via Wifi sometimes do, they take complete control over wifi in order to create a wireless access point and make the device connect to it during setup. I think Nikon camera remote control does this, also Meta Horizon, with Meta Quest VR headset, IIRC.
There's also Wifi ranging feature, but it shouldn't need to expose SSIDs to the app, I don't know the API, it should be limited to giving a precise location:
That sounds like something that's also not that risky. Short lived, temporary access point with randomized BSSID/mac address should not be useful for long term tracking if done well.
It is not, if the developer only does what is expected. I believe when you have to perform this, the Android authorization asked to the user is complete control over the network adapter settings.
Thanks for asking. Came here to ask since I was curious about this too. I don't find any of the replies here convincing:
- List of open wifis: AFAIK, and in my experience, apps need special permissions to do anything at the wifi level. And yes, iOS location services use wifi info but it's disabled, that's the point;
- IP back to geo: then why not send the IP itself directly?
- Mozilla location services: same as above, why not send the info you send to Mozilla directly to the data harvester which can call Mozilla itself?
