Unauthorized Location Tracking

Description

Over‑permissive location access and unvetted data sharing enable precise user tracking. Apps or embedded SDKs may collect GPS data continuously, transmit it to third parties, or store it insecurely, creating privacy and regulatory risks.

Examples

Observe Location Exfiltration

Run traffic through a proxy and watch for GPS coordinates leaving the app/SDK:

mitmproxy -p 8080
# Look for payloads containing latitude/longitude while app runs in background

Static Review of Permission Usage (Android)

apktool d app-release.apk -o app-src
rg -n "ACCESS_FINE_LOCATION|ACCESS_BACKGROUND_LOCATION" app-src/AndroidManifest.xml

Remediation

Least privilege and purpose limitation
- Request coarse/foreground‑only access unless essential; disclose precise purposes.
Consent and transparency
- Implement clear opt‑in/opt‑out flows; log consent state and honour platform privacy controls.
Minimise and protect data
- Aggregate/anonymise where possible; encrypt in transit and at rest; enforce retention caps and deletion.

Haxoris Wiki

Unauthorized Location Tracking

Description

Examples

Observe Location Exfiltration

Static Review of Permission Usage (Android)

Remediation