The article mentions that the required permissions are "very common permissions", and then in the next paragraph says that 179 apps on the Google Play store require those permissions. As of July 2014, there were 1.3 million apps in the app store [1]. That's ~0.014% of the apps on the store. Not exactly "very common" in my mind. Although the remark that they are "unlikely to raise suspicion" is valid, especially for the typical consumer, who probably isn't reading the permissions anyway.

[1] - http://en.wikipedia.org/wiki/Google_Play#Android_application...

This is really selling a quite interesting intellectual effort on meaningless paranoia. Who would have any interest in tracking people in this manner?

Any government based group can grab the data much more conveniently via the phone towers. Anyone else? Well you've got to trick someone into downloading this thing, so it's probably not that good for targeting a specific individual.

If you can think up some nefarious scheme which involves grabbing lots of peoples locations, just get permissions to use GPS or cell location, way more apps have that privilege. I'm not sure what you do with it afterwards though.

New research reveals people can be tracked just by watching where they go...

Original research paper: http://arxiv.org/abs/1502.03182

PDF link: http://arxiv.org/pdf/1502.03182v1.pdf

This is a 'tour de force' study for sure, but has a very limited scope (and reliability)- First, it only works if the attacker knows both the route(s) ahead of time and the power consumption profile of the routes, which requires careful mapping of the region with a recording device. Second, its accuracy degrades drastically depending on the number of apps running -- they only tested with background apps, which already rendered the method only slightly better than a random guess, with an arbitrary app running in the foreground the power consumption goes bananas and so does their method.

Storm in a glass of water, if you ask me.. (But you wouldn't know this by reading that abstract alone ;))

-@r2r

Maybe I am a bit dense here, but how does battery drain map to a location? What would they be cross referencing to gather location?

All I can gather is that they would also need to know what tower you were talking to, and then based on the drain they could probably guess where you were based on some heuristic. Meaning, if you are talking to tower x, and the battery drain is high, you could guess that you are either far from the tower or indoors somewhere. It still seems to me that this is dubious at best. I get that technology is always changing, but wouldn't it just be easier to exploit a security hole?

So what makes this specific to Android phones? Developers can't (get permission to) access this information on other platforms?

What a sensasionalist headline... The results of the study can only be achieved under a very controlled environment and even then they're not accurate. From a practical point of view this is irrelevant when there are other ways of getting a user location that are far more accurate and easy. But from an academic point of view I can see the interest.

Seriously? Have you not heard of side channel and timing attacks? This is called information leakage and is a big deal. Because it is not common/easy now doesn't mean it won't be in the future. The nature of information disclosure (whether data or metadata) is that people find "impractical" methods of accessing information we might prefer they not have, then make them practical. It may also be the case that the researchers cannot make it practical, but that doesn't mean there aren't actors who can and possibly have already done this.

This is a very useful article OP, thank you for posting

Isn't the assumption that "the noise of playing music,social media, etc" is not correlated with the phone's location, pretty weak? I know I have distinct patterns of when I scroll up twitter or listen to music, which depend on where I am..

I'm thinking about when Whistler decodes the kidnapper's route in Sneakers.

The first thing that popped into my head to get around this technique - and in one fell swoop would defeat all others - was : "Switch the phone off and remove the battery".

Of course, as soon as you turn the phone back on again, your adversary can pinpoint your location.

I guess the best overall solution would be to eschew having a phone at all.

Just ask the user for their location right away. Most don't care anyway.

I think this has the potential to be as good as the location of MH370 by satellite data

Basically, locate the user over a wide range of possible locations.

I wouldn't loose my sleep over this, really