There’s Wally! Location Tracking in Android without Permissions

Efthimios Alepis, Constantinos Patsakis


Context-awareness can be considered as one of the biggest advantage of smart mobile devices as it provides advanced features for developers revolutionizing user interaction and making users more engaged to the applications. Perhaps, the most important factor is location awareness as applications can refine their results according to users’ whereabouts. Nonetheless, users’ location is a very sensitive attribute as it can disclose a lot of personal information about them. To address such issues, mobile operating systems require users to grant specific permissions to the applications. This work studies a relatively new feature of Android, namely Wi-Fi P2P, illustrating that the location of the user can be easily disclosed, without using location permissions even in the recent version of Android.


  1. Almuhimedi, H., Schaub, F., Sadeh, N., Adjerid, I., Acquisti, A., Gluck, J., Cranor, L. F., and Agarwal, Y. (2015). Your location has been shared 5,398 times!: A field study on mobile app privacy nudging. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pages 787-796. ACM.
  2. Azizyan, M., Constandache, I., and Roy Choudhury, R. (2009). Surroundsense: mobile phone localization via ambience fingerprinting. In Proceedings of the 15th annual international conference on Mobile computing and networking, pages 261-272. ACM.
  3. Balebako, R., Jung, J., Lu, W., Cranor, L. F., and Nguyen, C. (2013). Little brothers watching you: Raising awareness of data leaks on smartphones. In Proceedings of the Ninth Symposium on Usable Privacy and Security, page 12. ACM.
  4. Book, T., Pridgen, A., and Wallach, D. S. (2013). Longitudinal analysis of android ad library permissions. arXiv preprint arXiv:1303.0857.
  5. Curtis, P., Banavar, M. K., Zhang, S., Spanias, A., and Weber, V. (2014). Android acoustic ranging. In Bourbakis, N. G., Tsihrintzis, G. A., and Virvou, M., editors, IISA 2014, The 5th International Conference on Information, Intelligence, Systems and Applications, Chania, Crete, Greece, July 7-9, 2014, pages 118- 123. IEEE.
  6. Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.- G., Cox, L. P., Jung, J., McDaniel, P., and Sheth, A. N. (2014). Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS), 32(2):5.
  7. Farnden, J., Martini, B., and Choo, K.-K. R. Privacy risks in mobile dating apps. In Proceedings of 21st Americas Conference on Information Systems (AMCIS 2015), volume 13, page 15.
  8. Fawaz, K. and Shin, K. G. (2014). Location privacy protection for smartphone users. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 239-250. ACM.
  9. Felt, A. P., Ha, E., Egelman, S., Haney, A., Chin, E., and Wagner, D. (2012). Android permissions: User attention, comprehension, and behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security, page 3. ACM.
  10. Fu, H., Yang, Y., Shingte, N., Lindqvist, J., and Gruteser, M. (2014). A field study of run-time location access disclosures on android smartphones. Proc. USEC, 14.
  11. Gibler, C., Crussell, J., Erickson, J., and Chen, H. (2012). Androidleaks: automatically detecting potential privacy leaks in android applications on a large scale. In International Conference on Trust and Trustworthy Computing, pages 291-307. Springer.
  12. Grace, M. C., Zhou, W., Jiang, X., and Sadeghi, A.-R. (2012). Unsafe exposure analysis of mobile in-app advertisements. In Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WISEC 7812, pages 101-112. ACM.
  13. Guha, S., Jain, M., and Padmanabhan, V. N. (2012). Koi: A location-privacy platform for smartphone apps. In Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation, pages 14-14. USENIX Association.
  14. Han, J., Owusu, E., Nguyen, L. T., Perrig, A., and Zhang, J. (2012). Accomplice: Location inference using accelerometers on smartphones. In 2012 Fourth International Conference on Communication Systems and Networks (COMSNETS 2012), pages 1-9. IEEE.
  15. Kelley, P. G., Consolvo, S., Cranor, L. F., Jung, J., Sadeh, N., and Wetherall, D. (2012). A conundrum of permissions: installing applications on an android smartphone. In Financial Cryptography and Data Security, pages 68-79. Springer.
  16. Kim, J., Yoon, Y., Yi, K., Shin, J., and Center, S. (2012). Scandal: Static analyzer for detecting privacy leaks in android applications.
  17. Kotzanikolaou, P., Patsakis, C., Magkos, E., and Korakakis, M. (2016). Lightweight private proximity testing for geospatial social networks. Computer Communications, 73:263-270.
  18. Krumm, J. and Horvitz, E. (2004). Locadio: inferring motion and location from wi-fi signal strengths. In Mobile and Ubiquitous Systems: Networking and Services, 2004. MOBIQUITOUS 2004. The First Annual International Conference on, pages 4-13. IEEE.
  19. Michalevsky, Y., Schulman, A., Veerapandian, G. A., Boneh, D., and Nakibly, G. (2015). Powerspy: Location tracking using mobile device power analysis. In 24th USENIX Security Symposium (USENIX Security 15), pages 785-800.
  20. Narayanan, A., Thiagarajan, N., Lakhani, M., Hamburg, M., and Boneh, D. (2011). Location privacy via private proximity testing. In NDSS.
  21. Pandita, R., Xiao, X., Yang, W., Enck, W., and Xie, T. (2013). Whyper: Towards automating risk assessment of mobile applications. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pages 527-542.
  22. Patsakis, C., Kotzanikolaou, P., and Bouroche, M. (2015). Private proximity testing on steroids: An ntru-based protocol. In International Workshop on Security and Trust Management, pages 172-184. Springer.
  23. Polakis, I., Argyros, G., Petsios, T., Sivakorn, S., and Keromytis, A. D. (2015). Where's wally?: Precise user discovery attacks in location proximity services. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 817-828. ACM.
  24. Qin, G., Patsakis, C., and Bouroche, M. (2014). Playing hide and seek with mobile dating applications. In IFIP International Information Security Conference, pages 185-196. Springer.
  25. Sapiezynski, P., Stopczynski, A., Gatej, R., and Lehmann, S. (2015). Tracking human mobility using wifi signals. PloS one, 10(7):e0130824.
  26. Shaik, A. (2016). Practical attacks against privacy and availability in 4g/lte mobile communication systems.
  27. SnoopWall (2014). Flashlight apps threat assessment report. 2015/02/Flashlight-Spyware-Report-2014.pdf.
  28. Spensky, C., Stewart, J., Yerukhimovich, A., Shay, R., Trachtenberg, A., Housley, R., and Cunningham, R. K. (2016). Sok: Privacy on mobile devices-it's complicated. Proceedings on Privacy Enhancing Technologies, 2016(3):96-116.
  29. Stevens, R., Gibler, C., Crussell, J., Erickson, J., and Chen, H. (2012). Investigating user privacy in android ad libraries. In Proceedings of the 2012 Workshop on Mobile Security Technologies (MoST).
  30. Theodorakopoulos, G., Shokri, R., Troncoso, C., Hubaux, J.-P., and Le Boudec, J.-Y. (2014). Prolonging the hide-and-seek game: Optimal trajectory privacy for location-based services. In Proceedings of the 13th Workshop on Privacy in the Electronic Society, pages 73-82. ACM.
  31. Vanhoef, M., Matte, C., Cunche, M., Cardoso, L. S., and Piessens, F. (2016). Why mac address randomization is not enough: An analysis of wi-fi network discovery mechanisms. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pages 413-424. ACM.
  32. Wernke, M., Skvortsov, P., Dürr, F., and Rothermel, K. (2014). A classification of location privacy attacks and approaches. Personal and Ubiquitous Computing, 18(1):163-175.
  33. Wind, D. K., Sapiezynski, P., Furman, M. A., and Lehmann, S. (2016). Inferring stop-locations from wifi. PloS one, 11(2):e0149105.
  34. Zhou, Y., Zhang, X., Jiang, X., and Freeh, V. W. (2011). Taming information-stealing smartphone applications (on android). In International conference on Trust and trustworthy computing, pages 93-107. Springer.

Paper Citation

in Harvard Style

Alepis E. and Patsakis C. (2017). There’s Wally! Location Tracking in Android without Permissions . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 278-284. DOI: 10.5220/0006125502780284

in Bibtex Style

author={Efthimios Alepis and Constantinos Patsakis},
title={There’s Wally! Location Tracking in Android without Permissions},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},

in EndNote Style

JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - There’s Wally! Location Tracking in Android without Permissions
SN - 978-989-758-209-7
AU - Alepis E.
AU - Patsakis C.
PY - 2017
SP - 278
EP - 284
DO - 10.5220/0006125502780284