Privacy Risks of Location Tracking Explained

Your phone broadcasts your location through dozens of channels simultaneously. Most people are aware of GPS location permissions, but GPS is only one layer. This guide explains every tracking vector, who collects and monetizes the data, what gets inferred from location history, and what actually reduces exposure.

The Location Tracking Stack

GPS               → 1–3m accuracy; requires permission
Cell Tower        → 100m–10km accuracy; always active (carrier sees this)
Wi-Fi Positioning → 5–20m accuracy; active even with Wi-Fi off (MAC probes)
Bluetooth Beacons → 0.1–10m accuracy; retail/venue tracking
IP Geolocation    → City-level; every website you visit
Sensor Fusion     → Accelerometer + gyroscope + barometer infer floor level

An adversary with access to multiple data layers can triangulate your location with high precision even without GPS.

1. GPS and App Permissions

The most visible tracking vector. Apps request “Precise Location” (GPS, <3m) or “Approximate Location” (~3km). Until Android 12 / iOS 14, “while in use” permission was often silently upgraded to “always” through dark UX.

# Android: audit which apps have background location
# Settings > Location > App permissions > See all with "All the time"

# iOS: Settings > Privacy & Security > Location Services
# Audit every app showing "Always" — downgrade to "While Using"

# Android: use ADB to bulk-audit location permissions
adb shell pm list packages | while read pkg; do
  pkg=$(echo $pkg | cut -d: -f2)
  has_bg=$(adb shell dumpsys package "$pkg" 2>/dev/null \
    | grep "ACCESS_BACKGROUND_LOCATION" | grep granted=true)
  if [ -n "$has_bg" ]; then
    echo "Background location: $pkg"
  fi
done

Data collected by apps and sold to data brokers: X.Mode (rebranded Outlogic), Foursquare (Veritone), SafeGraph, and NinthDecimal aggregate GPS tracks from hundreds of apps and sell them to hedge funds, insurers, law enforcement, and political campaigns.

2. Cell Tower Tracking (IMSI and IMEI)

Your phone constantly connects to the nearest cell tower — even when in airplane mode if you don’t also disable all wireless radios. The carrier logs:

• Your IMSI (SIM card identifier) or IMEI (handset identifier)
• Which tower you connected to, with timestamp
• Call records (who you called, when, duration)

Carriers in most countries retain this data for 6–24 months and provide it to law enforcement on subpoena. In the US, carriers also historically sold this data commercially (AT&T, T-Mobile, Sprint were fined by the FCC for selling real-time location to third parties).

IMSI Catchers (Stingrays): Law enforcement devices that impersonate cell towers, forcing nearby phones to connect. This reveals your precise location and phone identifier without carrier cooperation. IMSI catchers are in widespread use by police in the US, EU, and authoritarian states.

# There is no software-only defense against IMSI catchers.
# The only effective mitigation is:
# 1. Faraday cage / signal-blocking bag when not in use
# 2. Using a secondary device with a prepaid SIM not linked to your identity
# 3. Wi-Fi calling over VPN (bypasses cell network when Wi-Fi available)

3. Wi-Fi Probe Requests

When your phone searches for known networks, it broadcasts probe requests containing your device’s MAC address and sometimes the names of previously connected networks. This happens even when you’re not connected to Wi-Fi.

Retail tracking: companies like Euclid Analytics (acquired by WeWork), Path Intelligence, and RetailNext place sensors in stores that log probe requests to track shopper movement and dwell time.

# Android 10+ and iOS 8+ randomize MAC addresses per network
# Check if randomization is enabled:
# Android: Settings > Wi-Fi > [network name] > Privacy > Use randomized MAC
# iOS: randomization is on by default for new networks

# Disable Wi-Fi when not needed (reduces probe broadcasts)
# Android: Settings > Network & internet > Wi-Fi > Wi-Fi preferences
#          Enable "Turn on Wi-Fi automatically" but use "Only for saved networks"

Limitation of MAC randomization: iOS and Android still use persistent randomized MACs per network — connecting to the same network repeatedly reveals the same random MAC, allowing tracking across visits to the same venue.

4. Bluetooth Beacons

Bluetooth Low Energy (BLE) beacons are installed in retail stores, airports, museums, and stadiums. When an app has Bluetooth permission, it can detect nearby beacons and report your presence to the app’s backend — accurate to within 1–10 meters.

Apple iBeacon and Google Eddystone are the two main protocols. Retailers use them for:

• Sending targeted push notifications when you enter a store section
• Measuring time spent near specific products
• Linking in-store behavior to loyalty card and purchase history

# Android: disable Bluetooth when not in use
# Settings > Connected devices > Bluetooth > Off

# iOS: Settings > Bluetooth > Off
# Note: fully disabling from Control Center doesn't kill background Bluetooth
# use Settings > Bluetooth for full disable

# Check which apps have Bluetooth permission:
# Android: Settings > Apps > [app] > Permissions > Nearby devices
# iOS: Settings > Privacy & Security > Bluetooth

5. IP Address Geolocation

Every connection reveals your IP address to the server. IP geolocation databases (MaxMind, IP2Location) map IPs to:

• City and approximate neighborhood (accuracy varies widely)
• ISP identity
• Organization (corporate, educational, residential)

This data is used for ad targeting, fraud detection, and — when combined with other signals — re-identification.

# Check what your IP reveals
curl -s https://ipinfo.io/json | python3 -m json.tool

# Use a VPN or Tor to replace your IP
# VPN: replaces your IP with the VPN provider's IP (trust shifts to VPN)
# Tor: routes through 3 hops; exit node IP used for geolocation

6. Location Inference from Non-Location Data

Even without explicit location permissions, apps can infer your location:

• Network time zone: reveals broad location
• Nearby Wi-Fi networks: SSID + BSSID uniquely identify a location (WiGLE.net maps them)
• Ambient pressure (barometer): combined with known weather patterns, reveals city
• Ultrasonic audio beacons: inaudible tones played by TV ads, websites, or retail stores; if your phone’s microphone picks them up, the vendor knows which ad you watched and where

# Android example: request ACCESS_WIFI_STATE to see nearby networks
# This doesn't require location permission on Android <10
# but effectively provides location via WiGLE BSSID lookup

# On Android 10+, BSSID scanning requires location permission
# On Android <10, apps could silently harvest BSSID → location data

7. Data Brokers and Location Aggregation

Location data from GPS, Wi-Fi, and cellular sources is sold to brokers who build movement profiles:

• SafeGraph: sold foot traffic data to CDC for COVID research, hedge funds for retail analytics
• Veraset: acquired by Safegraph; supplies movement data to government agencies
• X.Mode (Outlogic): supplied location data to US military contractors (documented by Motherboard/Vice, 2020)
• Near.com: claims 1.6 billion device profiles globally

Opt-out: Most data brokers have opt-out pages, but effectiveness is limited. SafeGraph opt-out: safegraph.com/opt-out. X.Mode: optout.xmode.io.

Threat-Based Mitigation Matrix

GrapheneOS and Location Privacy

GrapheneOS (Android 13+) provides the strongest software-level location privacy:

• Per-connection MAC randomization (not per-network)
• Sensors permission (allows revoking accelerometer/gyroscope from apps)
• Network permission (prevents apps from seeing Wi-Fi/BT SSIDs)
• Storage Scopes (prevents correlating files across apps)

# GrapheneOS: revoke sensor access for untrusted apps
# Settings > Apps > [app] > Sensors > Blocked

Related Reading

• Android Privacy Best Practices 2026
• Android Background Location Access Guide
• Anonymous Browsing on Mobile Devices Guide 2026

Built by theluckystrike — More at zovo.one