Have you ever considered how much data your smartphone quietly collects about you? From the apps you use and how often you open them to the GPS coordinates of the cell towers you connect to, it’s a wealth of sensitive information. While mobile devices like smartphones and tablets have built-in safeguards, Quokka researchers have uncovered how device vendors can unintentionally leak app usage and location data.
Why app usage and location data matter for enterprise security
App usage data alone can provide insights into user behavior. However, when combined with location data, it becomes a powerful tool for:
- Targeted Advertising: Profiles can be built to target users based on app interactions and physical location.
- User Profiling: Businesses and bad actors can map user behavior and patterns of life.
- Security Exploits: Attackers can exploit location data to track high-profile employees or sensitive operations.
Protecting this data is crucial for organizations that rely on mobile apps to secure their operations and maintain compliance with data privacy regulations, including the safety of their workforce.
App usage and location data leaks
Quokka researchers discovered privacy leaks across major Android device vendors, including Samsung, Nokia, and Transsion brands (i.e., Tecno, Infinix, and Itel). In addition, vendors that use pre-installed Qualcomm apps for performance monitoring were also found to have vulnerabilities. These leaks expose critical data that attackers can use to breach privacy and track users without their knowledge.
One significant issue is leaky apps, which unintentionally expose sensitive data due to poor security practices or misconfigurations. Even more alarming are colluding apps—apps that communicate with each other to share or expose information. By working together, these apps can paint a detailed picture of the user’s behavior, magnifying privacy and security risks.
The vendors mentioned in this report have handled the issues differently—some have received CVEs and have remediated the vulnerabilities, while others have yet to take action. This leaves both organizations and individual users at risk of having sensitive data exploited.
While the leaked data does not reveal exact GPS coordinates, it includes key information like the Mobile Country Code (MCC), Mobile Network Code (MNC), Location Area Code (LAC), and Cell Tower ID (CID). Using publicly available databases, this information can be used to map these data points to the GPS coordinates of the cell tower a device is connected to, allowing attackers to triangulate user locations and track behavior over time.
How Android devices leak app usage and location data
Even though Google classifies the list of installed apps as “personal and sensitive user data,” our findings reveal that the names of apps the user opens can be exposed. This information combined with timestamps, which can create a detailed profile of how, when, and where users interact with apps.
Persistent monitoring is possible if an app requests normal permissions, like “RECEIVE_BOOT_COMPLETED” to run at startup, and “FOREGROUND_SERVICE” which allows the app to always run in the background to harvest the leaked data. These permissions are easy to obtain and do not require user approval, making them an attractive target for attackers.
The risks to enterprises: Why you should care
For enterprises, the exposure of app usage and location data is more than a privacy issue–it’s a security threat. Businesses that rely on mobile devices for critical operations may encounter notable risks if attackers gain access to this data. Sensitive information could be used to spy on high-profile employees, access confidential information, or exploit company vulnerabilities.
How Quokka can help you secure your mobile apps and devices
At Quokka, we understand the complexity of mobile vulnerabilities, including those from leaky and colluding apps. Contextual Mobile Security Intelligence powers our solutions to provide advanced app intelligence, threat detection, and proactive protection, ensuring data remains secure across the mobile ecosystem. Whether you develop apps for your business, or rely on mobile to run your business, our platform helps your team discover and remediate malicious or colluding apps, zero-day exploits and vulnerabilities.
Learn more and read the full report
For a comprehensive overview of our research findings, download the full report, “Android App Usage and Cell Tower Location: Private. Sensitive. Available to Anyone?” presented by Dr. Ryan Johnson, Principal R&D Engineer at Quokka, at DEF CON 32 (2024). Discover how to safeguard your mobile apps and devices from these critical vulnerabilities, and protect your organization from data breaches.