Using only data that can be legally collected by an app developer without the consent of a cellphone’s owner, researchers have been able to produce a privacy attack that can accurately pinpoint a user’s location and trajectory without accessing the device’s Global Position System—GPS. And while the ramifications of this ability falling into the wrong hands are distressing, the way in which they pulled it off is nothing short of genius.
In fact, all you really need is your phone’s internal compass, an air pressure reading, a few free-to-download maps, and a weather report.

Your cellphone comes equipped with an amazing array of compact sensors that are more or less collecting information about your environment at all time. An accelerometer can tell how fast you’re moving; a magnetometer can detect your orientation in relation to true north; and a barometer can measure the air pressure in your surrounding environment. You phone also freely offers up a slew of non-sensory data such as your device’s IP address, timezone, and network status (whether you’re connected to Wi-Fi or a cellular network.)

All of this data can be accessed by any app you download without the type of permissions required to access your contact lists, photos, or GPS. Combined with publicly available information, such as weather reports, airport specification databases, and transport timetables, this data is enough to accurately pinpoint your location—regardless of whether you’re walking, traveling by plane, train, or automobile.
To track a user, you first need to determine what kind of activity they’re performing. It’s easy enough to tell if a person is walking versus riding in a car, speed being the discriminant factor; but also, when you’re walking you tend to move in one direction, while your phone is held in a variety of different positions. In a car, you make sudden stops (when you brake) and specific types of turns—around 90 degrees—that can be detected using your phone’s magnetometer. People who travel by plane will rapidly change time zones; the air pressure on a plane also changes erratically, which can be detected by a cellphone’s barometer. When you ride a train, you tend to accelerate in a direction that doesn’t significantly change. In other words, determining your mode of travel is relatively simple.

The fact that your cellphone offers up your time zone as well as the last IP address you were connected to really narrows things down—geolocating IP addresses is very easy to do and can at least reveal the last city you were in—but to determine your exact location, with GPS-like precision, a wealth of publicly-available data is needed. To estimate your elevation—i.e., how far you are above sea level—PinMe gathers air pressure data provided freely by the Weather Channel and compares it to the reading on your cellphone’s barometer. Google Maps and open-source data offered by US Geological Survey Maps also provide comprehensive data regarding changes in elevation across the Earth’s surface. And we’re talking about minor differences in elevation from one street corner to the next.

Upon detecting a user’s activity (flying, walking, etc.) the PinMe app uses one of four algorithms to begin estimating a user’s location, narrowing down the possibilities until its error rate drops to zero, according to the peer-reviewed research. Let’s say, the app decides you’re traveling by car. It knows your elevation, it knows your timezone, and if you haven’t left the city you’re in since you last connected to Wi-Fi, you’re pretty much borked.

With access to publicly available maps and weather reports, and a phone’s barometer and magnetometer (which provides a heading), it’s only a matter of turns. When PinMe detected one of the researchers driving in Philadelphia during a test-run, for example, the researcher only had to make 12 turns before the app knew exactly where they were in the city. With each turn, the number of possible locations of the vehicles dwindles. “[A]s the number of turns increases, PinMe collects more information about the user’s environment, and as a result it is more likely to find a unique driving path on the map,” the researchers wrote.

Source: How to Track a Cellphone Without GPS—or Consent