How Cybercriminals Exploit the Geolocation Features in Your Favorite Apps
Mobile phone applications represent a major threat to everyday consumers. Map apps, social media accounts, and web browsers all try to access our locations regularly, claiming to offer convenience while collecting far too much information about our movements, purchases, and search histories.
Last month, Canada’s federal privacy commissioner released a scathing report following a joint investigation into location tracking conducted by the app for Tim Hortons. The coffee chain has nearly 5,000 locations across all 10 Canadian provinces, along with more than 600 U.S. locations—third-most in the country behind only Starbucks and Dunkin’ Donuts.
In 2017, Tim Hortons introduced a new mobile app that was downloaded 10 million times within three years. Like most retail apps, it was intended to offer users easy payment, loyalty points, and order-placing perks. But in 2019, a new feature was quietly added. Using geolocation software, the Tim Hortons app took advantage of the GPS systems in customers’ phones to install a veritable snooping tool.
Instead of asking for permission to access users’ GPS locations only while they were actively using the app, Tim Hortons tracked users 24 hours a day, around the globe—even when the app was not in use. Initially, the system was intended to track individuals so that specific promotions—like, say, coupons for a Tim Hortons stand in an arena if the user attended a hockey game—could be delivered to them. But data was instead collected to hunt for patterns and changes in where and when Tim Hortons’ users picked up their coffee.
This extended the reach of the GPS tracking not just to geographic locations but to the specific types of locations, as well. Tim Hortons claimed the purpose was just to figure out whether loyal customers were frequenting rival coffee shops. But the continuous tracking led to other data compromises, like deceptions in privacy statements and inadequate protection of the aggregated data collected by the app.
Daniel Therrien, Canada’s federal privacy commissioner, was blunt about the consequences of such data intrusion, which he called a “mass invasion of privacy”: “As a society, we would not accept it if the government wanted to track our movements every few minutes of every day,” he said during a press conference with other privacy commissioners from major Canadian provinces like Quebec, Ontario, and British Columbia. “It is equally unacceptable that private companies think so little of our privacy and freedom that they can initiate these activities without giving it more than a moment’s thought.”
What Can You Do to Protect Your Data?
For most of us, smartphones have become the most important devices in our day-to-day lives. We communicate with colleagues and family members, check our calendars and email accounts, conduct financial transactions and download files, and shop for goods, all from the same device. Yet we don’t treat the data stored on our mobile devices with the same care as the information saved on our laptops, desktops, and servers.
Here’s what you can do to better protect your smartphone and extend an extra few layers of security to the information you carry around in your pocket:
1) Update your apps. Many app updates occur automatically, but plenty still require special permissions—or will only update when your phone is fully charged and connected to Wi-Fi. That makes it easy to put off an update or forget to set one in motion, even though security vulnerabilities are often addressed when new versions of popular apps are released. If this step seems intimidating or confusing, contact a trusted IT provider for advice, action plans, and smart app update strategies.
2) Only install apps from official sources. It’s critical to pay attention to where your apps come from. Only download new apps and updates for existing apps from official sources like the App Store on Androids and Apple iPhones. These stores require developers to meet certain criteria before their app can be offered for sale or download, and unreliable apps are regularly vetted and removed. Yet malicious apps can still slip through the cracks, which means that users should pay attention to the app developer’s name and read reviews of apps they might not be sure about. Bad actors will often list an app that looks or sounds similar to a popular one or try to promote suspicious add-on apps that can surreptitiously install malware into existing apps. If a developer has created other apps with suspicious names or has even one or two bad reviews, don’t install it.
3) Be careful about granting permissions. After you’ve safely and securely downloaded or updated a trustworthy app, slow down before you automatically accept all permissions related to it. Blindly allowing an app to access your device’s location, camera, microphone, contacts, or other sensitive areas of your phone could lead to trouble. If you aren’t sure about specific app permissions, check your phone’s privacy settings and manually review which app accesses which part of your phone. If anything looks unfamiliar or unsafe, deactivate that permission and immediately reach out to a trusted IT provider.
4) Delete old or unused apps from your smartphone. If you come across an old app that you haven’t used in ages, don’t just let it take up space on the second or third swipe screen of your phone as this can give hackers easy access to your device. Instead, free up your phone’s memory and clean up your home screen by deleting old or disused apps. Make a habit of checking your smartphone menu on a monthly or quarterly basis to avoid such vulnerabilities.
5) Activate multi-factor authentication (MFA) for your phone login and apps. This typically comes in the form of a one-time code that’s entered along with your usual password, a fingerprint or face login, or a Touch ID. Make sure this setting is activated under your Settings > Password & Security menu so you can prevent malware or other dangerous apps from stealing existing passwords and locking you out of certain accounts. Not sure how to implement MFA? A trusted IT provider can help.
6) Avoid unsecured public Wi-Fi networks. Many of us are working from the road this summer, increasing the chances of signing in to an unprotected public Wi-Fi network. Avoid this major issue by using a mobile hotspot (if you have good cell phone service) or logging in via a VPN (Virtual Private Network) to enhance overall cybersecurity.
If you’re worried about the threat of smartphone apps or afraid of security vulnerabilities like the Tim Hortons example cited above, contact CMIT Solutions today. We build extra layers of cybersecurity protection around our clients’ devices, striking the right balance between office efficiency and remote productivity while empowering employees to work anytime, anywhere, from any machine.