Stalking Beijing from Timbuktu: A Generic Measurement Approach for Exploiting Location-Based Social Discovery

The rise of smart phone usage has led to an increase in the number of applications that make use of the users’ locations. One popular class of such applications is location-based social discovery (LBSD), which enables users to discover others nearby and then communicate. In this paper, we show how LBSD applications can be exploited by even weak adversaries to stalk LBSD users in any city from any location in the world. We develop an automated measurement methodology–combining faking longitude and latitude locations, smart phone emulation, task automation, and optical character recognition (OCR)–that can be adapted to any LBSD service without relying on an application programming interface (API) or on reverse engineering. Although our approach is generic, we focus our study on WeChat, a popular social network. We design a scheme that can determine a discovered user’s location to a narrow region. By monitoring mid-town Manhattan for seven days, we gather location information pertaining to 1745 distinct users moving in the targeted geographical region.

Proceedings of the 4th ACM CCS Workshop on Security and Privacy in Smartphones & Mobile Devices