Beware of find-my-phone, Wi-Fi, and Bluetooth, NSA tells mobile users
Source:
“As long as your phone is connecting to cell towers, which it has to in order to use the cell network... AFAIK that’s going to reveal your location,” Wardle, who is a security researcher at the macOS and iOS enterprise management firm Jamf, told me. “It, as always, is a tradeoff between functionality/usability and security, but basically if you use a phone, assume that you can be tracked.”
He said that recent versions of iOS make it easy to follow many of the recommendations. The first time users open an app, they get a prompt asking if they want the app to receive location data. If the user says yes, the access can only happen when the app is open. That prevents apps from collecting data in the background over extended periods of time. iOS also does a good job of randomizing MAC addresses that, when static, provide a unique identifier for each device.
More recent versions of Android also allow the same location permissions and, when running on specific hardware (which usually come at a premium cost), also randomize MAC addresses.
Both OSes require users to manually turn off ad personalization and reset advertising IDs. In iOS, people can do this in Settings > Privacy > Advertising. The slider for Limit Ad Tracking should be turned on. Just below the slider is the Reset Advertising Identifier. Press it and choose Reset Identifier. While in the Privacy section, users should review which apps have access to location data. Make sure as few apps as possible have access.
Change some settings
In Android 10, users can limit ad tracking and reset advertising IDs by going to Settings > Privacy and clicking Ads. Both the Reset Advertising ID and Opt Out of Ads personalization are there. To review which apps have access to location data, go to Settings > Apps & notifications > Advanced > Permission Manager > Location. Android allows apps to collect data continuously or only when in use. Allow only apps that truly require location data to have access, and then try to limit that access to only when in use.