Application Security IT Security Outsourced IT

Location-Based Services

What are Location-Based Services?

Location-based services (LBS) use real-time geolocation data from mobile devices to provide information, security, and/or entertainment. Using a mobile device, even powering it on, exposes location data.1 Mobile devices connect to cellular providers and networks, and when they do the cellular provider receives real-time location information. This information can be used in ways that are beneficial, such as in response to 911 calls, or in ways that can be harmful, such as having your safety and security compromised when a threat actor uses this information for malicious purposes. Cellular providers could potentially sell this real-time location data to third parties, unbeknownst to users. Additionally, location data from mobile devices can be obtained without provider cooperation, as commercially available rogue base stations allow operators to obtain real-time location data inexpensively and easily and to track targets in the local area. The following technologies are used to track location:

GPS. The Global Positioning System (GPS) is an array of satellites that exist to locate things around the world.2 Any device with a GPS receiver can ping the satellites with that receiver. When this happens, it communicates with at least four satellites in order to determine your precise location. A common business application of this technology is GPS fleet tracking software which allows organizations to remotely monitor their company vehicles and operator behavior.

Wi-Fi. Wi-Fi location tracking uses IP addresses to determine the location of a mobile device that has connected to a network.

Cellular technology. Cellular works similarly to GPS technology, but rather than connecting to satellites it connects to cellular towers and uses triangulation to determine your location, as you are generally within range of at least two cellular towers.

QR codes. Quick-response (QR) tracking logs information related to scans, including the physical location of the scan.

RFID. Radio frequency identification (RFID) tracking uses an RFID scanner to ping off of other networks, allowing the location of the scanner to be logged. Once the RFID scanner is activated, it can tag its location when it records the access, which can identify the location of the device accessing the scanner.

While there are many helpful uses for LBS technology, there may be both personal and professional reasons why you may wish to limit the exposure of user location data. The following actions can be used for those who wish to limit exposure of location data1:

  • Disable location services settings on the device.
  • Disable radios when they are not actively in use: disable Bluetooth and turn off Wi-Fi if these capabilities are not needed. Use Airplane Mode when the device is not in use. Ensure Bluetooth and Wi-Fi are disabled when Airplane Mode is engaged.
  • Apps should be given as few permissions as possible. If using, location privacy/permission settings for apps should be set to either not allow location data usage or, at most, allow location data usage only while using the app.
  • Disable advertising permissions to the greatest extent possible. Set privacy settings to limit ad tracking, noting that these restrictions are at the vendor’ discretion. Reset the advertising ID for the device on a regular basis, at least weekly.
  • Turn off settings (typically known as FindMy or Find My Device settings) that allow a lost, stolen, or misplaced device to be tracked.
  • Minimize web-browsing on the device as much as possible and set browser privacy/permission location settings to not allow location data usage.
  • Use an anonymizing Virtual Private Network (VPN) to help obscure location.
  • Minimize the amount of data with location information that is stored in the cloud, if possible.

If it is critical that location is not revealed for a particular activity, consider the following recommendations:

  • Determine a non-sensitive location where devices with wireless capabilities can be secured. Ensure that the site cannot be predicted from this location.
  • Leave all devices with any wireless capabilities (including personal devices) at this non-sensitive location. Turning off the device may not be sufficient if a device has been compromised.
  • For transportation, use vehicles without built-in wireless communication capabilities, or turn off the capabilities, if possible.

1 NSA, 2022, “Limiting Location Data Exposure”

2 Freedman, 2021, “Location-Based Services: Definition and Examples”