Google Play ‘Tracking Android Users 24/7’

The location-tracking features in Google’s Android smartphone operating system are nearly impossible to turn off due to third-party apps’ increasing dependence on them, a computer security researcher has warned.

Users may be aware that specific mobile applications such as Google Maps are tracking their location, but may not know that Android handsets continue tracking users and relaying the location data to Google even if such apps are switched off, according to London-based researcher Mustafa Al-Bassam.

Location tracking

The situation arises out of Google’s efforts to encourage programs to use the application programming interfaces (APIs) – including an API for location services – built into its Google Play store, which it uses to distribute and update apps.

On the one hand, that means that Google Play tracks users even if all other applications are switched off, Al-Bassam wrote in a Twitter post.

“Even if you uninstall Google Maps, Google Play’s background service is tracking your location 24/7,” Al-Bassam wrote.

On the other hand, it means if Google Play’s location services are disabled, location services won’t work on many third-party apps, he said.

“Google is encouraging developers to use the Play location API instead of the native Android API, making an open OS dependent on proprietary software,” he wrote.

Nearby Notifications

Google has been developing the scope of its Play APIs for some time, but users are likely to be unaware of the implications in the most recent versions of Android, Al-Bassam said.

For instance, a Google Play API called Nearby Notifications now allows companies to send alerts to devices located in specific locations, without their having installed any software or approved any specific agreement, as Al-Bassam discovered to his surprise.

“Yesterday I almost had a heart attack when I entered McDonald’s and I had a notification on my phone asking me to install their app,” he wrote.

Another security expert accused Google of “mishandling” users’ privacy, and pointed out that disabling Google Play could render devices unusable.

“You won’t be tracked, but you’ll have to manually update each of your apps, some of which might not even work anymore without an active installation of Google Play services,” wrote researcher David Bisson in an advisory.

Another option is to manually switch location services on or off each time they are needed, which Bisson called an “inconvenience”.

“Damned if you do. Damned if you don’t,” he wrote.

Privacy controls

Google said it provides users with “tools to control how their location information is shared with Google and other apps or services”, including, beginning with Android 6.0, released in October of last year, the ability to disable location permissions for apps including Google Play and Google Maps.

But because many apps are now dependent upon Google Play for location and other services, in practice users may be limited to either allowing Google to use their location data or not using location services at all, said Al-Bassam.

“Kind of defeats the purpose of fine-grained privacy controls,” he wrote.

Google has been the subject of probes by the UK and the EU for its privacy policies.

Proposed reforms to EU telecommunications laws published this week also take aim in part at curbing the data-collecting practices of large Internet companies such as Google.

Are you a security pro? Try our quiz!