How Mobile App Location Tracking Puts Executives and Enterprises at Risk

The Real-Time Location Tracking Threat

Mobile apps quietly collect vast volumes of location data unbeknownst to users. While location tracking enhances functionality of many mobile apps, this data can be exploited and exposes individuals and enterprises to serious risk. From stalking to real-time tracking and surveillance, data misuse can lead to physical harm and even threaten corporate and national security. Leaders must ensure the mobile apps their organizations produce and deploy protect user safety as part of their mobile app risk management strategy.

How Location Data Jeopardizes Safety

Many mobile apps leak geolocation data, enabling real-time tracking of users. This not only violates privacy and regulatory compliance requirements, but also puts people at risk of stalking, harassment or physical harm. For executives and high-profile individuals, such leaks can pose serious operational security threats.

• Personal Safety Risks: Unauthorized access to real-time location data makes users vulnerable to tracking that could compromise their privacy and civil liberties and subject them to physical threats. The combination of mobile apps and advertising network data empowers bad actors to surveil high-risk targets such as courtrooms, mosques, synagogues and reproductive health centers. 
• Corporate & Executive Security: The recent targeted shooting of an insurance executive led to corporations increasing physical security to protect senior leaders, particularly in industries such as healthcare and finance. Experts urged C-suite leaders to minimize their digital footprints and beef up cybersecurity to keep themselves safe from stalking and targeting.
• Military & Government Exposure: Revealing sensitive details such as location can jeopardize operational security and put officials and troops in harm’s way. Use of a popular fitness tracking app recently enabled researchers to track the movements of protective details for world leaders. Mobile app location tracking data has also revealed sensitive U.S. military locations around the globe and exposed a top-secret nuclear submarine base in France.

Several high-profile cases highlight the safety risks of mobile app location data being exploited for surveillance.

Real-World Incidents of Location Data Exposure

Several high-profile cases highlight the safety risks of mobile app location data being exploited for surveillance. 

• Gravy Analytics: The Gravy Analytics breach revealed that thousands of Android and iOS mobile apps, including Flightradar24, Grindr, Moovit, Muslim Pro and Tinder, facilitated the collection of sensitive user location data that compromises their privacy. Unchecked software development kits can expose app makers and their users to serious risks, including potential safety threats from geolocation and surveillance data.
• AngelSense: The assistive technology app maker for people with special needs exposed a database that revealed GPS coordinates of users being tracked along with information about their movement such as speed and steps per minute.
• Android crypto apps: Researchers analyzed 51 top Android crypto apps and uncovered alarming security and privacy concerns stemming from collection of sensitive data that can paint an intimate picture of behavior, habits and preferences and sometimes revealed location. 
• X-Mode Social: The Federal Trade Commission in 2024 acted against the SDK maker for tracking mobile app users’ visits to sensitive locations such as family planning centers, religious institutions, union offices, schools, shelters for domestic violence survivors and immigrant services. 
• Untappd: In 2020, vulnerabilities within the beer rating mobile app Untappd allowed security experts to track the movements of military and intelligence personnel. The mobile app enabled them to steal sensitive photos with private government information and even revealed a secret CIA base.
• AcuWeather: In 2017, security researchers found the popular weather app was sharing location data with a third-party monetization firm even when users turned off the location sharing setting.

How Location Data Enables Surveillance

The combination of geolocation tracking and advertising SDKs creates a mass surveillance risk:

• Advertising Networks & Surveillance: When an app includes location permissions and advertising SDKs, data brokers and third parties can access users’ movements and behavior.
• Targeting High-Risk Locations: Threat actors can surveil sensitive sites such as courtrooms, religious sites, women’s health clinics and corporate offices, increasing risks for individuals and organizations.

Steps to Protect Your Organization

To mitigate the safety risks associated with mobile apps, leaders must be aware of location tracking features in the apps their organizations build for employees and customers and the ones they permit their workforce to install on company-provided mobile devices. 

They should ensure mobile app development teams scrutinize the third-party components and SDKs they embed in apps and follow both app store and regulatory compliance guidelines to prevent unauthorized data collection. 

To effectively protect their mobile app ecosystems, forward-thinking leaders must implement comprehensive Mobile App Risk Management (MARM) programs. A robust MARM strategy should integrate key security measures, including:

• Assess Third-Party Mobile Apps: Leverage NowSecure Mobile App Risk Intelligence (MARI) to evaluate and mitigate risks from third-party apps used within your organization.
• Automate Security Testing for In-House Apps: Ensure secure development with NowSecure Platform continuous mobile application security testing for the apps your organization builds.
• Embrace Industry Standards: Test Android and iOS mobile apps to the OWASP Mobile Application Security Verification Standard (MASVS) set of security requirements. 
• Achieve Android App Compliance & Trust: Gain App Defense Alliance Mobile Application Security Assessment (MASA) validation to certify that your Android apps meet Google Play data safety requirements and transparently disclose data handling practices.
• Conduct Advanced Testing for High-Risk Apps: Strengthen app security with progressive testing, including penetration testing via NowSecure Workstation for in-house teams or NowSecure Mobile Pen Testing as a Service (PTaaS) for expert-led evaluations.

By embedding these critical security functions into a holistic MARM program, organizations can proactively defend against mobile threats, ensure compliance and protect users’ sensitive data with confidence.

Reach out today to learn more about how to partner with NowSecure to build or improve a mobile app risk management program.