The development of positioning technologies has digitalized people's mobility traces for the first time in history. GPS sensors resided in people's mobile devices allow smart apps to access location data. This large amount of mobility data can help to build appealing applications. Meanwhile, location privacy has become a major concern. In this paper, we design a general system to assess whether an app is vulnerable to location inference attacks. We utilize a series of automatic testing mechanisms including UI match and API analysis to extract the location information an app provides. According to different characteristics of these apps, we classify them into two categories corresponding to two kinds of attacks, namely attack with distance limitation (AWDL) and attack without distance limitation (AWODL). After evaluating 800 apps, of which 109 passed automated testing, we found that 24.7% of the passing apps are vulnerable to AWDL and 11.0% to AWODL. Moreover, some apps even allow us to modify the parameters in http requests which largely increases the scope of the attacks. Our system demonstrates the severity of location privacy leakage to mobile devices and can serve as an auditing tool for future smart apps.
IEEE International Symposium on Software Reliability Engineering
2018-10-15
2022-10-13 08:39:42