There are more mobile applications than you think listening for ultrasonic beacons, and that has huge privacy implications.
That could mean more entities – companies or hackers alike – that can track a device’s location without the user’s consent.
“A recent practice embeds ultrasonic beacons in audio and tracks them using the microphone of mobile devices,” said researchers in a paper on the subject. “This side channel allows an adversary to identify a user’s current location, spy on TV viewing habits or link together different mobile devices.”
The researchers that wrote the paper are Daniel Arp, Erwin Quiring, Christian Wressnegger and Konrad Rieck from the Technische Universitat Braunschweig in Brunswick, Germany.
In all, the researchers found 234 Android applications constantly listening for ultrasonic beacons in the background.
Ultrasonic audio beacons can end up in television or web advertisements and then picked up by mobile apps that contain a receiver.
The researchers analyzed millions of Android applications submitted to the VirusTotal service, and found some that used the Shopkick and Lisnr ultrasonic audio technology.
In addition, there were others that used SilverPush SDK, which can allow developers to track users across multiple devices.
Previous research from two years ago found SilverPush’s software ended up in 6-7 apps, allowing the company to monitor 18 million smartphones, but that number continues to grow.
This could become a privacy threat, allowing media, location, and cross-device tracking, as well as website user deanonymization.
“The case of SilverPush emphasizes that the step between spying and legitimately tracking is rather small,” the researchers said in their paper.
“SilverPush and Lisnr share essential similarities in their communication protocol and signal processing. While the user is aware about Lisnr’s location tracking, SilverPush does not reveal the application names with the tracking functionality.”
With the deployment of ultrasonic tracking increasing in the wild, and still no indication that regulators will push for effective protections, it will be down to the users to protect themselves from this new encroachment on their privacy.
Android and iOS users can ensure an app isn’t allowed to use the device’s microphone.
While that permission is necessary for some apps to work as intended, there are plenty of apps out there that should not even ask for it, but yet they do.
The researchers suggested countermeasures that could be introduced in the Android platform to prevent surreptitious tracking via ultrasonic beacons like detection of implementations and improved notification.
“A more fine-grained control of the audio recording is likely the best strategy for limiting the impact of ultrasonic side channels. A combination of user notifications and a status in the pull down menu can inform the user when a recording takes place and lets her detect unwanted activities,” they said in the paper.
“At the time of writing, we are aware of 234 Silverpush Android applications that are listening in the background for inaudible beacons in TV without the user’s knowledge,” the researchers said. “Several among them have millions of downloads or are part of reputable companies, such as McDonald’s and Krispy Kreme. Our findings strengthen our concerns that the deployment of ultrasonic tracking increases in the wild and therefore needs serious attention regarding its privacy consequences.”