Disabling location services on a mobile device does not turn off GPS, and does not significantly reduce the risk of location exposure

Thursday, August 27th, 2020

Location data can be extremely valuable, the National Security Agency notes, and must be protected:

Using a mobile device—even powering it on—exposes location data. Mobile devices inherently trust cellular networks and providers, and the cellular provider receives real-time location information for a mobile device every time it connects to the network. This means a provider can track users across a wide area. In some scenarios, such as 911 calls, this capability saves lives, whereas for personnel with location sensitivities, it may incur risks. If an adversary can influence or control the provider in some way, this location data may be compromised. Public news articles have reported that providers have been known to sell data, including near-real time location data, to third-parties [1].

Location data from a mobile device can be obtained even without provider cooperation. These devices transmit identifying information when connecting to cellular networks. Commercially available rogue base stations allow anyone in the local area to inexpensively and easily obtain real-time location data and track targets. This equipment is difficult to distinguish from legitimate equipment, and devices will automatically try to connect to it, if it is the strongest signal present [2].

Additionally, location data is stored on the mobile device. Past location information can be used to forecast future locations [3]. Other examples of risk exist: websites use browser fingerprinting to harvest location information [4], and WiFi access points and Bluetooth sensors can reveal location information [5].

A mobile device provides geolocation data as a service to apps. This is known as location services, and users can disable them in the settings of a device. Perhaps the most important thing to remember is that disabling location services on a mobile device does not turn off GPS, and does not significantly reduce the risk of location exposure. Disabling location services only limits access to GPS and location data by apps. It does not prevent the operating system from using location data or communicating that data to the network.

Also important to remember is that GPS is not the same as location services. Even if GPS and cellular data are unavailable, a mobile device calculates location using Wi-Fi and/or BT. Apps and websites can also use other sensor data (that does not require user permission) and web browser information to obtain or infer location information [6].

Even if cellular service is turned off on a mobile device, Wi-Fi and BT can be used to determine a user’s location. Inconspicuous equipment (e.g., wireless sniffers) can determine signal strength and calculate location, even when the user is not actively using the wireless services. Even if all wireless radios are disabled, numerous sensors on the device provide sufficient data to calculate location. Disabling BT completely may not be possible on some devices, even when a setting to disable BT exists. When communication is restored, saved information may be transmitted.

If a mobile device has been compromised, the user may no longer be able to trust the setting indicators. Detecting compromised mobile devices can be difficult or impossible; such devices may store or transmit location data even when location settings or all wireless capabilities have been disabled.


  1. Bob Sykes says:

    If you are that concerned about surveillance, leave your smart phone home, or don’t buy one in the first place. If you need to make a phone call, buy a burner, use it once, throw it away.

  2. Dave says:

    One American guy said he destroyed the Norwegian army during a war-game by running Tinder from multiple locations and trilaterating the sluts on the other side. “Inga is only 3.4km from your location!” Thanks Inga, you just got your whole platoon shelled to bits.

  3. RLVC says:

    Thank you, NSA.

    Be most concerned about private collection by third-party apps. Many third-party apps themselves include third-party frameworks, for ads and other purposes. Some of these third-party frameworks collect your location and sell it to anyone with a credit card. Some of these “anyones” include state and federal agencies, such as the IRS, which has used the so-collected whereabouts of its “suspects” to build cases against them.

    You will want to delete most of your third-party apps unless they are open-source projects backed by reputable organizations. You can find a weather forecast with a simple search if you really need one.

    Then be concerned about other forms of bulk collection, private first, then public. The Silicon Valley surveillance oligopoly are less likely to sell your information than the cellular providers, but the former know more about you and are much, much smarter. The NSA loves you and wants you to be happy.

    Then be concerned about active collection, such as by fake towers or overflying drones.

    And only then be concerned about the integrity of your device, OS-level.

    P.S. Soon you will need to be concerned about the retail chains, which are all-in on rolling out their own private AI-powered surveillance grids; these will not rely on your smartphone for their purpose.

  4. TRX says:

    “disabling location services on a mobile device does not turn off GPS”

    On Android, the “disable” sliders don’t actually disable anything; apps are free to ignore the settings if they want.

    You’ll have to search on Bing or Yandex to find many references to that; for some reason Google seems not to have noticed the pages talking about it…

  5. Kevin M. says:

    The well dressed man always has a faraday pouch handy. I favor the mos equipment line of products.

Leave a Reply