“Gartner Listed - mobile application security guide”

September 22, 2016

Google Play Tracking Android Users

Google Play is now constantly tracking location of its users who have their operating systems running on newer builds of Android, calling into question Android app security. Unfortunately, there is not much that can be done to stop it with Android app security testing.

According to a security researcher, Mustafa Al-Bassam, the Android phone he was using instantly popped up a message to download the McDonalds app, as soon as he entered one of McDonald’s franchises. Upon checking, he discovered that it was not possible to stop Google Maps from collecting his location. Even after deleting Google Maps, Google Play would still be checking your location in the background.

Google Play can track the movement of its users 24/7 because of features like “Nearby”, that create location awareness. Location APIs in Google Play Services allow for automated tracking of location. This means that the Google Play’s APIs are constantly tracking, and not the location APIs of Android. So if you are using a mobile with one of newer Android builds and you try to switch of Google Play’s location feature, you will get a popup warning message that the location feature will be disabled on all of the apps you have installed on your device.

Your location being tracked is perhaps not very crucial for your Android app security, but it might bother you when your every move is being observed. Would uninstalling Google Play solve this? Yes, uninstalling Google Play will ensure that you are not being tracked, but at the same time you will need to update all your apps manually. Some of the apps may stop working altogether since they may require active installation by Google Play service.

Ultimately, it seems you can either uninstall Google Maps and Google Play and face the consequences already known to you now, or turn off Google Play services location time and again. Or, if both choices are not appealing you (which they are not), then get yourself an iPhone.

Google, on the other hand, has claimed that this is not a regular feature but rather a bug which will be fixed in a few days. This still shows a massive issue with Android app security and Google says that Android users can turn off their location at any time via the settings and Android 6.0 also gives users the ability to disable the location feature of any specific application, which includes Google Maps and Google Play.

Codified Security is here to help make your mobile app secure whether it’s for iOS, Android app security testing, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.