
Researchers from IMDEA Networks, in collaboration with Universidad Carlos III de Madrid, IMDEA Software Institute, and the University of Calgary, have conducted the first large-scale study—”Your Signal, Their Data: An Empirical Privacy Analysis of Wireless-scanning SDKs in Android”—on how certain Android mobile applications use a device’s WiFi and Bluetooth connections to track users’ movements in their daily lives, thereby violating their privacy.
The study explains how certain technologies, such as small Bluetooth-emitting devices placed in public spaces (e.g., stores or airports), can be used to determine a person’s precise location inside a building. These wireless signals, known as beacons, can be detected by apps to track users indoors, even when GPS is unavailable.
The analysis focused on 52 software development kits (SDKs), components embedded in mobile apps to provide additional functionalities. The research team examined their behavior in nearly 10,000 apps. The findings are clear: 86% of these apps collect GPS and wireless signals as a proxy for geolocation along with unique device identifiers.
The study, presented at the Privacy Enhancing Technologies Symposium conference, reveals a geolocation tracking ecosystem closely tied to advertising and tracking purposes, where many SDKs gather location data unrelated to the core functionality of the app. Potentially to extract information to build user profiles or serve targeted ads, often without users’ knowledge or consent.
As Narseo Vallina-Rodríguez, co-author of the study and researcher at IMDEA Networks, points out, “the biggest problem is that your movements and who you are with can be identified.” Some SDKs were also found to access sensitive data without requesting the necessary permissions from the Android operating system, using indirect methods to bypass restrictions.
The researchers also uncovered a technique known as ID bridging, where SDKs link different identifiers over time to maintain persistent user tracking. “By correlating wireless signals and users’ device identifiers, SDKs can stitch together user profiles across resets, effectively bypassing Android’s privacy safeguards,” explains Aniketh Girish, co-author of the study and researcher at IMDEA Networks.
To address these privacy risks, the researchers propose limiting SDK access to personal data through sandboxing techniques, conducting proactive audits of apps using wireless scanning technologies, and implementing more transparent mechanisms to inform users about what data is being collected and for what purpose.
More information:
Girish, Aniketh et al. Your Signal, Their Data: An Empirical Privacy Analysis of Wireless-scanning SDKs in Android (2025). hdl.handle.net/20.500.12761/1910
Citation:
Study reveals how mobile apps track users through WiFi and Bluetooth (2025, July 29)
retrieved 29 July 2025
from https://techxplore.com/news/2025-07-reveals-mobile-apps-track-users.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no
part may be reproduced without the written permission. The content is provided for information purposes only.
If you liked the article, do not forget to share it with your friends. Follow us on Google News too, click on the star and choose us from your favorites.
If you want to read more Like this articles, you can visit our Science category.