All your location are belong to us: breaking mobile social networks for automated user location tracking

Location-based social networks (LBSNs) feature friend discovery by location proximity that has attracted hundreds of millions of users world-wide. While leading LBSN providers claim the well-protection of their users' location privacy, for the first time we show through real world attacks that these claims do not hold. In our identified attacks, a malicious individual with the capability of no more than a regular LBSN user can easily break most LBSNs by manipulating location information fed to LBSN client apps and running them as location oracles. We further develop an automated user location tracking system and test it on leading LBSNs including Wechat, Skout, and Momo. We demonstrate its effectiveness and efficiency via a 3 week real-world experiment on 30 volunteers and show that we could geo-locate any target with high accuracy and readily recover his/her top 5 locations. Finally, we also develop a framework that explores a grid reference system and location classifications to mitigate the attacks. Our result serves as a critical security reminder of the current LBSNs pertaining to a vast number of users.

[1]  Albert-László Barabási,et al.  Limits of Predictability in Human Mobility , 2010, Science.

[2]  Dan Boneh,et al.  Location Privacy via Private Proximity Testing , 2011, NDSS.

[3]  Carmela Troncoso,et al.  Protecting location privacy: optimal strategy against localization attacks , 2012, CCS.

[4]  Jack Brassil,et al.  Traffic Signature-Based Mobile Device Location Authentication , 2014, IEEE Transactions on Mobile Computing.

[5]  Michael Hicks,et al.  Deanonymizing mobility traces: using social network as a side-channel , 2012, CCS.

[6]  Valtteri Niemi,et al.  Track Me If You Can: On the Effectiveness of Context-based Identifier Changes in Deployed Mobile Networks , 2012, NDSS.

[7]  Jean-Yves Le Boudec,et al.  Quantifying Location Privacy , 2011, 2011 IEEE Symposium on Security and Privacy.

[8]  Ying Zhang,et al.  Robust distributed node localization with error management , 2006, MobiHoc '06.

[9]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[10]  Yao Zheng,et al.  SHARP: Private Proximity Test and Secure Handshake with Cheat-Proof Location Tags , 2012, ESORICS.

[11]  César A. Hidalgo,et al.  Unique in the Crowd: The privacy bounds of human mobility , 2013, Scientific Reports.

[12]  Sabrina De Capitani di Vimercati,et al.  An Obfuscation-Based Approach for Protecting Location Privacy , 2011, IEEE Transactions on Dependable and Secure Computing.

[13]  Paul A. Zandbergen,et al.  Accuracy of iPhone Locations: A Comparison of Assisted GPS, WiFi and Cellular Positioning , 2009 .

[14]  Marco Gruteser,et al.  USENIX Association , 1992 .

[15]  Dawn Xiaodong Song,et al.  FreeMarket: Shopping for free in Android applications , 2012, NDSS.

[16]  Ming Li,et al.  FindU: Privacy-preserving personal profile matching in mobile social networks , 2011, 2011 Proceedings IEEE INFOCOM.

[17]  Guanhua Yan,et al.  Fine-grained private matching for proximity-based mobile social networking , 2012, 2012 Proceedings IEEE INFOCOM.

[18]  邓泽国 浅谈Oracle VM VirtualBox虚拟机的网络配置 , 2011 .

[19]  Ling Liu,et al.  Location Privacy in Mobile Systems: A Personalized Anonymization Model , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[20]  Marco Gruteser,et al.  Wireless Location Privacy Protection , 2003, Computer.

[21]  Reza Shokri,et al.  On the Optimal Placement of Mix Zones , 2009, Privacy Enhancing Technologies.

[22]  Romit Roy Choudhury,et al.  Hiding stars with fireworks: location privacy through camouflage , 2009, MobiCom '09.

[23]  Catuscia Palamidessi,et al.  Geo-indistinguishability: differential privacy for location-based systems , 2012, CCS.

[24]  Angelos D. Keromytis,et al.  All your face are belong to us: breaking Facebook's social authentication , 2012, ACSAC '12.

[25]  Hui Zang,et al.  Anonymization of location data does not work: a large-scale measurement study , 2011, MobiCom.

[26]  Alec Wolman,et al.  Enabling new mobile applications with location proofs , 2009, HotMobile '09.

[27]  David K. Y. Yau,et al.  Privacy vulnerability of published anonymous mobility traces , 2010, MobiCom.

[28]  Yajin Zhou,et al.  Detecting Passive Content Leaks and Pollution in Android Applications , 2013, NDSS.

[29]  Ying Cai,et al.  Feeling-based location privacy protection for location-based services , 2009, CCS.

[30]  Ernesto Damiani,et al.  Location Privacy Protection Through Obfuscation-Based Techniques , 2007, DBSec.

[31]  Pierangela Samarati,et al.  Location privacy in pervasive computing , 2008 .

[32]  Yin Zhang,et al.  Secure friend discovery in mobile social networks , 2011, 2011 Proceedings IEEE INFOCOM.

[33]  Philippe Golle,et al.  On the Anonymity of Home/Work Location Pairs , 2009, Pervasive.

[34]  Hui Xiong,et al.  Preserving privacy in gps traces via uncertainty-aware path cloaking , 2007, CCS '07.