Indoor localization using device sensors: A threat to privacy

The localization techniques used in today’s smartphone are mainly based on Global Positioning System (GPS). However, GPS Sensors cannot work properly under in-door and underground locations. Therefore, many applications utilize device sensors such as accelerometer, gyrometer, and magnetometer for indoor localization. In this paper, we present a misuse case of how device sensors can be used to exploit the privacy of a user by geo-tracking. We propose an attack model through which the user location can be compromised without using the GPS sensors. The proposed attack model comprises of two stages. The first stage consists of deployment of the malicious application on the users’ smart-phones and gathering the information of various sensors in the background. The collected sensor data is uploaded to the malicious cloud server set up by the adversary. The second stage consists of pre-processing the sensor data received from the malicious cloud server and plot the user’s trajectory onto a graph in real-time. The proposed attack model is evaluated by developing two applications. The victim application tracks location, direction, and trajectory of the user without any location permission from the user. The proposed model achieves an accuracy of 98% without using special infrastructure and separate training phase. Further, we have discussed three mitigation schemes, which can be adapted by the Android developers in order to protect the user’s privacy.