SCRUFF CEO Explains The Security ‘Flaw’ Built Into All Location-Aware Apps

Screen Shot 2014-09-15 at 3.42.45 PMSCRUFF CEO Eric Silverberg took to The Huffington Post to give the internet a brief, but insightful, lesson in “trilateration,” the process through which a person’s specific location can be pinpointed with a few bits of information and a little bit of know-how.

“The most important thing you should know about location-based apps is this: Any app that shows relative distance between members can be used to pinpoint your location.” He explains. “While there are measures we have taken to protect our community, it's critical that all users understand the benefits and limitations intrinsic to location-based apps.”

All mobile social networking apps with geo-location functionality can approximate a user’s general location, Silverberg explains, but a basic understanding of geometry can easily reveal a user’s position even after deciding to turn off detailed GPS tracking features:

“If I know you are 1 mile away from me, but I don't know which direction, then the circumference of a circle, centered at my location, defines the set of possible places you could be. If I simply move to two other places and record your relative distance, with those three readings I can calculate your location.”

According to Silverberg SCRUFF has attempted to circumvent some of the security “flaws” inherent in all location-aware services by randomizing users’ location data on SCRUFF’s backend. Every phone or tablet using the SCRUFF app sends its location information back to app’s servers so that other users can request it upon tapping a profile. For those users who select to have their locations hidden from the general public, SCRUFF will go so far as to spoof where a person actually is.

“This means that, if [a user] lives in the West Village in NYC, he could potentially appear in between two people in SoHo,” said Silverberg.”[We also] take density into account, so if you live in the city, your location will be randomized by a few blocks, but in the country it could be a few miles or more.”


  1. IH8PPL says

    Your phone is a tracking device. That’s all you really need to know. Don’t want to be tracked, don’t use smart phones.

  2. Bill says

    Ho oversimplified it. If you measure distances to a person from several locations simultaneously, you can locate the person. If the person is moving and you make the measurements at different times, you introduce an error, and the error can be very large even if the person does not move very far.

    For example, suppose you and a ‘trackee’ both move a short distance L in the same direction. At each time, their reported separation will be ‘D’. If you intersect those two circles, you get two possible locations, both on a line that goes through the midpoint between your two locations and perpendicular to the line connecting your locations. If a third measurement puts the trackee a long a circle going though one of those two points, you will end up with location for the trackee that may be far from where he/she actually is.

    This can be even worse than being tracked – it can lead to false accusations about where a person and that could be very difficult to refute.

  3. BrokebackBob says

    All you have to do is find out if your phone is really OFF when you turn it off. You have a right to know this from the service provider and the manufacturer. If it is really off then it is NOT receiving or sending data of any kind to the cell tower. If your phone is off and it is really off, you cannot be tracked.
    However, if your phone is actually still sending a receiving data of any kind while it is off (like a ping) then depending on how the geo-location software works, it could be providing that info to just the cell tower or actually all the way to an application server that is talking to a background application on the phone noting where you are at any given moment. Find out if you have have to explicitly turn ON the geo-location software’s transmission to get it to starting tracking you or if the phone only keeps in touch with a cell tower and nothing else when that app is not running.

  4. says

    I am glad that the CEO of Scruff has been able to teach us the BASIC fundamentals of geometry. How people have earned high school diplomas and were not aware of triangulation baffles me. How do folks things satellites work? The space people threw a satellite up in the sky and it just knows? *facepalm* – but this explains why scruff distances always seem to be ‘off’.

  5. Bill says

    @ Drewboo : what was less obvious was that you could send requests in which you specified your location as being different than it actually is – you have to know something about the format used for messages between a phone and a server.

    While you can triangulate by having three people at separate locations measure their distances to some guy (walking around instead is accurate only if the target is stationary), the pain-in-the neck factor discourages using multiple individuals.

    BTW, GPS (I assume that is what your reference to satellites refer to) needs a minimum of 4 satellites to get a position without the use of very expensive hardware. The satellites send their position and the current time. The time difference between the time in a message and the time you receive it gives the satellite’s distance from you, since you know the speed of light (slightly lower in air than in a vacuum, but that doesn’t affect things too much in this case). The problem is that the clock in your receiver is not very accurate (the speed of light is about a foot per nanosecond) so a microsecond error puts your distance off by 1000 feet. You need four satellites because you have to solve the equations for both your position (x, y, z) and the time offset for your clock.