NSA Warns iPhone And Android Users—Disable Location Tracking

Updated on January 15 with confirmation of U.S. government action against the company responsible for leaking the location data of millions of Americans.

Our phones know where we are and they know where we have been—the problem is they have a nasty habit of sharing that information with others. And the latest location tracking nightmare to hit phone users shows the threat remains, despite new protections built into our iPhone and Android devices. NSA has warned users how to stop this secretive tracking—and you need to make this change now.

As first reported by 404media, hackers have compromised location aggregator Gravy Analytics, stealing “customer lists, information on the broader industry, and even location data harvested from smartphones which show peoples’ precise movements.” This has dumped a trove of sensitive data into the public domain.

This data is harvested from apps rather than the phones themselves, as EFF explains, “each time you see a targeted ad, your personal information is exposed to thousands of advertisers and data brokers through a process called real-time bidding’ (RTB). This process does more than deliver ads—it fuels government surveillance, poses national security risks, and gives data brokers easy access to your online activity. RTB might be the most privacy-invasive surveillance system that you’ve never heard of.”

ForbesTikTok Ban—Do You Need To Delete Your iPhone, Android App Next Week?By Zak Doffman

This particular leak has spawned various lists of apps, allegedly “hijacked to spy on your location.” As Wired reports, these include “dating sites Tinder and Grindr; massive games such as Candy Crush, Temple Run, Subway Surfers, and Harry Potter: Puzzles & Spells; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with more than 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo’s email client; Microsoft’s 365 office app; and flight tracker Flightradar24.... religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy.”

Gravy Analytics parent Unacast isn’t commenting, other than to “acknowledge the breach, saying that its ‘investigation remains ongoing’.”

NSA warns that “mobile devices store and share device geolocation data by design…Location data can be extremely valuable and must be protected. It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations.”

And this warning was echoed by security researcher Baptiste Robert in the wake of the Gravy Analytics leak. “The samples,” he posted on X, “include tens of millions of location data points worldwide. They cover sensitive locations like the White House, Kremlin, Vatican, military bases, and more,” adding that “this isn’t your typical data leak, it’s a national security threat. By mapping military locations in Russia alongside the location data, I identified military personnel in seconds.”

ForbesSamsung Galaxy S25—Here’s Apple’s ‘Groundbreaking’ iPhone DefenseBy Zak Doffman

NSA’s warning comes by way of an advisory it last updated in 2000. But it’s still live and it’s clearly still relevant. As the agency says, “different users accept different levels of risk regarding location tracking, but most users have some level of concern.”

Its more extreme mitigations for those with more extreme concerns include fully disabling location services settings, and turning off cellular radios and WiFi networks when not in use. Clearly for almost all users this goes too far. But NSA also tells users to do the following, recommendations you should absolutely follow now:

1. “Apps should be given as few permissions as possible: Set privacy settings to ensure apps are not using or sharing location data… Location settings for such apps should be set to either not allow location data usage or, at most, allow location data usage only while using the app.
2. Disable advertising permissions to the greatest extent possible: Set privacy settings to limit ad tracking… Reset the advertising ID for the device on a regular basis. At a minimum, this should be on a weekly basis.”

This second point is critical and was echoed by Robert following the Gravy Analytics leak. Apple users are protected by the iPhone’s “Allow Apps to Track” setting, which should be disabled. Android users need to delete/reset the advertising ID.

As Apple explains, “App Tracking Transparency allows you to choose whether an app can track your activity across other companies’ apps and websites for the purposes of advertising or sharing with data brokers… If you turn off ‘Allow Apps to Request to Track’ in Privacy & Security settings, you won't get prompts from apps that want to track your activity. Each app that asks for permission to track while this setting is turned off will be treated as if you tapped Ask App Not to Track.” Apple adds that “if you choose Ask App Not to Track, the app developer can’t access the system advertising identifier (IDFA), which is often used to track. The app is also not permitted to track your activity using other information that identifies you or your device, like your email address.”

While Google explains that “the advertising ID will be removed when a user deletes their advertising ID in Android Settings. Any attempts to access the identifier will receive a string of zeros instead of the identifier.” That said, Google also warns that while “your advertising ID will be deleted, apps may have their own settings, which can also affect the types of ads you see.”

NSA warns that apps, “even when installed using the approved app store, may collect, aggregate, and transmit information that exposes a user’s location. Many apps request permission for location and other resources that are not needed for the function of the app. Users with location concerns should be extremely careful about sharing information on social media.”

Thankfully this is one area where users have much more control now than in prior years. You can easily check on both iPhone and Android as to which apps are tracking your location or accessing sensitive phone functions. You should check this regularly and disable permissions for anything that causes you any concerns.

“While it may not always be possible to completely prevent the exposure of location information,” NSA says, “it is possible—through careful configuration and use—to reduce the amount of location data shared. Awareness of the ways in which such information is available is the first step.”

NSA also points out that it’s not just your smartphone you need to worry about. “Anything that sends and receives wireless signals has location risks similar to mobile devices,” it warns. “This includes, but is not limited to, fitness trackers, smart watches, smart medical devices, Internet of Things (IoT) devices, and built-in vehicle communications… Geolocation information contained in data automatically synced to cloud accounts could also present a risk of location data exposure if the accounts or the servers where the accounts are located are compromised.”

Echoes of this kind of sensitivity in the confirmation from the U.S. Federal Trade Commission that it has “finalized [an] order prohibiting Gravy Analytics, Venntel from selling sensitive location data.” The FTC described some of this as “unlawful,” specifying “tracking and selling sensitive location data from users, including data about consumers’ visits to health-related locations and places of worship.”

ForbesMicrosoft Windows Deadline—800 Million Users Must Act ‘Immediately’By Zak Doffman

The order, the FTC says, means the companies will be “prohibited from selling, disclosing, or using sensitive location data,” except, it says, “in limited circumstances involving national security or law enforcement.” Which has some interesting parallels with the NSA’s own advice, given the nature of its work.

The specifics of the complaint relate to geofencing sensitive locations, “to identify and sell lists of consumers who visited healthcare facilities and places of worship and sold additional lists that associate individual consumers to other sensitive characteristics.”

While this isn’t directly linked to the breach, it does go to show just how powerful and potentially dangerous locational data can be when it’s collected in certain ways and from certain. places, and the likely inferencing possible from the datasets.

I have reached out to Unacast for any comments on the FTC’s action.

‏Source www.forbes.com