Your whole life is wrapped up in the phone you’re carrying. And it’s always with you: whether you’re commuting to work, on holiday or doing nothing at home. Ultimately, our phones act as tracking devices – even if you’re not aware of it.
The apps that you’ve installed on your phone to help you with everything from photo editing to shopping can take advantage of your movement data. As a result of their location tracking functionality they’re able to compile some powerful knowledge on where you’re going and who you’re with.
But this is about to change. Through the latest versions of their mobile operating systems, both Google and Apple are taking the first steps to let people really know how much data they’re giving away. The upcoming versions of Android Q and iOS 13, which are in public betas with full releases coming later this year, are set to call out the apps recording your location in the background.
Every app you install, on either mobile operating system, already prompts users about the permissions it is requesting. If it wants access to your contacts, photos, or location you’ll be asked. But all too often ‘accept’ is quickly hit by default.
Now the operating systems are introducing push notifications that alert you to an app collecting the phone’s (and by default, your) whereabouts. They’re both taking similar approaches. On Android Q notifications appear saying “Airbnb got your location in the background. This app can always access your location. Tap to change”. While Apple’s variant goes a little further, showing a map of the recently recorded places you’ve been and offering the option to change the settings.
Nathan Collier, a senior malware intelligence analyst at Malwarebytes, says developers use two different functions to access data on a phone. Enabling ACCESS_FINE_LOCATION allows them to record precise location details, while ACCESS_COARSE_LOCATION provides a rough location. The permissions need to be granted access to run when an app is open or behind the scenes.
However, the new notifications are wake-up calls. For many phone owners these notifications are going to exposed a lack of awareness. “Many consumers do not understand that once you let an app access your location data, some may continue to track geolocation in the background, unbeknownst to the consumer,” explains Adenike Cosgrove, a international cybersecurity strategist at security firm Proofpoint.
Both Cosgrove and Collier agree the changes being introduced by Apple and Google are steps towards helping people understand the data their phones are collecting. But changing app permissions isn’t the most glamorous process so many people just don’t do it.
With the alterations in Q and iOS 13, the push notifications give users the ability to tweak the settings quickly. Each presents the option of always allowing location tracking in the background to continue, or only while using the app. Android’s notification goes further, allowing all location tracking to be turned off. In iOS, you have to separately enter the settings for this to be an option.
Apps that monitor your location aren’t necessarily bad, of course. It would be impossible for Google or Apple Maps to show you as a blue dot without access to location data; Airbnb couldn’t show available apartments near you without knowing the city you’re in; and fitness apps can’t record how far you’ve run or biked without using location data.
But not all apps need this functionality. Do you really need Twitter to geo-tag where your tweets are being sent from? Does The Guardian’s news app need to know where you are at all times (changing between geographic versions only takes a couple of taps).
“If the app is only collecting location data for the specific reason outlined in its terms and conditions, and they notify the user that they are doing so, this is fine,” Cosgrove says. “However, not all apps use the data only for what they say they will and those that are using data for reasons not outlined in their terms, are potentially breaking data protection regulations.”
Europe’s General Data Protection Regulation (GDPR) says companies must clearly tell customers what information they’re collecting and their purposes for doing it. Cosgrove says if a weather app was given permission to access location data to provide a person with the most accurate forecast but then sold your location to a third-party advertising company, it may attract the attention of data protection regulators.
However, apps accessing your location in the background can have a murkier side to them. The settings can be used within ‘stalkerware’ apps that let abusers monitor what their partner does on their phone and where they are, all without them knowing. (Use this guide if you think a partner may be spying on your phone).
Historically, security companies and app store owners have been slow to act about these types of spying apps. It’s only in 2019 that stalkerware is properly being taken seriously. In April Kaspersky Lab became the first company to start flagging these sort of apps as malicious – others have now followed. And in July, Google removed seven apps from its Play Store that were identified as being used for spying.
The new background notification features within iOS 13 and Android Q may help people identify that stalkerware has been added to their phone. “This could be useful as this new permission adds a reminder in notifications letting users know something is using location,” Collier says. “Keep in mind that, with “stalkerware”, the apps are installed by people who have physical access to the mobile device. Thus, they can allow background permissions initially, and it could take days for the notification to appear on the mobile device.”
More great stories from WIRED
🖼️ How to harness Google Photos to your messy pictures
😡 Heatwaves make people more violent, angry and grumpy
🚬 England has an ambitious plan to eradicate smoking by 2030
🕵🏿 It’s time you ditched Chrome for a privacy-first web browser
🎉 A vaccine for Alzheimer’s is on the verge of reality
📧 Get the best tech deals and gadget news in your inbox