Researchers from IMDEA Networks, in collaboration with Universidad Carlos III de Madrid, IMDEA Software Institute, and the University of Calgary, have conducted the first large-scale study — “Your Signal, Their Data: An Empirical Privacy Analysis of Wireless-scanning SDKs in Android” — on how certain Android mobile applications use a device’s WiFi and Bluetooth connections to track users’ movements in their daily lives, thereby violating their privacy.
The study explains how certain technologies, such as small Bluetooth-emitting devices placed in public spaces (e.g., stores or airports), can be used to determine a person’s precise location inside a building. These wireless signals, known as beacons, can be detected by apps to track users indoors, even when GPS is unavailable.
The analysis focused on 52 software development kits (SDKs), components embedded in mobile apps to provide additional functionalities. The research team examined their behavior in nearly 10,000 apps. The findings are clear: 86% of these apps collect at least one sensitive signal—like GPS, wireless metadata, or a unique identifier.
The study, presented at the prestigious PETS conference, reveals a geolocation tracking ecosystem closely tied to advertising and tracking purposes, where many SDKs gather location data unrelated to the core functionality of the app. Potentially to extract information to build user profiles or serve targeted ads, often without users’ knowledge or consent. As Narseo Vallina-Rodríguez, co-author of the study and researcher at IMDEA Networks, points out, “the biggest problem is that your movements and who you are with can be identified.” Some SDKs were also found to access sensitive data without requesting the necessary permissions from the Android operating system, using indirect methods to bypass restrictions.
The researchers also uncovered a technique known as ID bridging, where SDKs link different identifiers over time to maintain persistent user tracking. “By correlating wireless signals and users’ device identifiers, SDKs can stitch together user profiles across resets, effectively bypassing Android’s privacy safeguards,” explains Aniketh Girish, co-author of the study and researcher at IMDEA Networks.
To address these privacy risks, the researchers propose limiting SDK access to personal data through sandboxing techniques, conducting proactive audits of apps using wireless scanning technologies, and implementing more transparent mechanisms to inform users about what data is being collected and for what purpose.