Security-conscious smartphone users may decline apps' requests to "use your current location," but according to research conducted at the University of Illinois, doing so still doesn't mean that those users can't be tracked. This is because each phone's sensors – such as the accelerometer – have a unique "fingerprint." By identifying that fingerprint in sensor data sent from the phone, third parties could at the very least keep track of what the user is doing at what time.

As described by the university, smartphone sensors are sort of like sugar cookies made with the same dinosaur-shaped cookie cutter. Although all of the cookies may look like the same dinosaur on first glance, each one is going to have its own tiny unique imperfections. In the case of the sensors, those imperfections leave the one-of-a-kind fingerprint in the gathered data. Although that fingerprint isn't readily apparent to casual users of the data, it can be found by people who are looking for it.

The researchers arrived at their conclusion by testing 80 standalone accelerometer chips, along with the accelerometers in 25 Android phones and two tablets. They used a vibrator motor like those found in most smartphones, to vibrate all of the accelerometers. By analyzing the resulting accelerometer readings, a fingerprint was established for each unit. When those fingerprints were sought out in subsequent readings, it was possible to identify the originating device with 96 percent accuracy.

The researchers' accelerometer-testing setup

This means that conceivably, attackers could access a phone's accelerometer fingerprint simply through app functions that activate its vibrator. Even if the accelerometer were taken out of the equation, other sensors such as the camera, microphone or gyroscope likely also bear their own fingerprints. According to the researchers, by combining all of those identifiers, it would be possible to track a user with even greater accuracy.

Although actual GPS data couldn't necessarily be accessed, a user's approximate whereabouts could likely be obtained based on the sort of apps that they were identified as using – a navigation app would indicate that they were in transit, for instance, while a fitness app might suggest that they were at the gym. None of this would be a problem if raw sensor data were processed onboard the phone, with only basic information being shared. Unfortunately, however, doing so would place a large workload on the processor, and diminish the battery life.

The research was conducted by associate professor Romit Roy Choudhury and graduate students Sanorita Dey and Nirupam Roy. No particular solution has been put forth at this point, other than the suggestion that users not share sensor data with an app before considering how legitimate or secure it is.

Source: University of Illinois