Why We Defused Location Tracking by Google on Renati OS

ChatMail   |   Aug 15, 2023

image by Myntex Inc.

Why We Defused Location Tracking by Google on Renati OS

Discover the truth behind the Fused Location Provider (FLP) Application Programming Interface (API) and how Renati is rewriting the rules for mobile security. Your data deserves a fortress, not a leaky faucet. Dive in to learn more about why this impacts millions of Android users.

FLP has a seemingly innocent purpose. The API was built to pinpoint your location for better performance from things like Google Maps and Play Store apps. However, the data collected can threaten users' privacy and security. This is why we made a bold decision to remove its’ functionality on our new mobile operating system, Renati.

The Android™ developer's website says, “The Fused Location Provider is a location API in Google Play services that intelligently combines different signals to provide the location information that your app needs.” It was designed to combine various location signals like GPS, Wi-Fi, and cellular networks to provide a more accurate and continuous location tracking service. Its accuracy depends on the GPS signal strength and the cellular or Wi-Fi network quality at any given moment.

Google’s FLP creates real-time tracking and monitoring for apps. If you use your phone to order an Uber, you get to see how close your ride is through this service. So, it has its benefits for users. But you may be surprised to uncover the lesser-known aspects of this embedded service.

What type of data does FLP provide?

Last Known Location of the user's device is regularly stored on the device and shared with third party systems.

Location Settings are handled through the fused locations API to choose the best source to collect the data from to report to apps requesting it. Android notes, “Rather than directly enabling services such as the device's GPS, your app specifies the required level of accuracy/power consumption and desired update interval, and the device automatically makes the appropriate changes to system settings.”

This level of location data harvesting can lead to privacy violations and targeted advertising. In November 2022, Google “…agreed to a record $391.5 million to settlement with 40 states for allegedly misleading consumers over its location tracking practices.”

Similarly, Location Updates obtains data at set intervals, exposing things like the direction you are travelling in, what speed or even altitude. Surveillance apps and spyware would use this type of information.

Reporter Zack Whittaker wrote a story on the 2023 hacking of an app called LetMeSpy. After reviewing the leaked stalkerware data from years of victims TechCrunch found “over 13,400 location data points for several thousand victims.” If this data gets into the wrong hands when it is released on the dark web with all manner of personally identifiable data, it could result in further physical criminal attacks.

As you can see, the continuous collection of location data by Google Play through the Fused Location Provider can be exploited by malicious actors or even inadvertently expose you to unauthorized parties. The constant tracking of a user's whereabouts could lead to potential stalking, harassment, or targeted attacks, severely compromising personal safety and privacy.

App Developers Ignore the Terms of Privacy Laws When Collecting Location Tracking

Mobile phone apps allow companies to track your activity all day long. Governments also make use of valuable location data gleaned from your phone. Businesses are being warned about the implications of collecting and sharing customer data. With many regulations in place to safeguard personal data, such as the GDPR, there is a need to be compliant or face strict penalties.

Sometimes, geolocation data is sold to third parties without malintent. However, if the users are not informed of the true nature of the data collection it can put the company in legal jeopardy. Hiding the intent in the Privacy Policy or Privacy Settings - which most app users don’t bother to read - isn’t acceptable in some jurisdictions, like Los Angeles. The city filed a claim against the Weather Channel because the app profited from location data collected from the users of its app.

Over the years the Weather Channel’s app mined data was collected from some 45 million users. The City’s Attorneys sought damages of $2,500 per violation along with an injunction for the alleged unfair business practices to be stopped. The complaint noted the app misleadingly suggests that such data will be used only to provide users with “personalized local weather data, alerts and forecasts.”

Location Threats Eliminated: A New Era of Mobile Privacy is Here

There is no need to take a risk by having the whereabouts of your business meetings tracked and monitoring your privacy. We've jammed the mechanism used to report data to the fused location provider. We also removed emergency location services, USB data port connectivity, and Bluetooth location-tracking vulnerabilities. Compliance with evolving privacy regulations is a top priority, as we put our customers' data protection above all else.

Renati removes location services at four separate layers

By removing the risks associated with the FLP API, the security of ChatMail on Renati is fortified, significantly reducing attack surfaces and threat vectors.

Your communications and data remain truly private and secure with ChatMail on Renati.

Learn more at renatimobile.com