Researchers at the University of Washington have found a way to track a person’s location and app use through serving ads on mobile apps. The result opens the door for significant privacy invasions through the app-based advertising system.

The researchers obtained the information by purchasing a series of ads targeted to specific locations and apps, then checking which mobile subscribers fit the targeting. In experiments conducted on Android devices, the team was able to pinpoint a person’s location within eight meters through a targeted ad. They tested ads on 10 different apps, including Grindr, Imgur, Words with Friends, and Talkatone, all using widely available ad networks.

By serving ad content to a user’s apps, the ad buyers could learn what apps the user has installed. That information could be sensitive, revealing a user’s sexual orientation or religious affiliation. For instance, ads served on Grindr will tell the ad buyer that the user has Grindr installed.

“It was so easy to do what we did.”

Researchers could also find out when a user went to a specific place. After targeting ads to a specific location, the ad network would notify them within 10 minutes of when the user arrived.

“It was so easy to do what we did,” said Franzi Roesner, co-author of the paper and co-director of the UW Security and Privacy Research Lab. “This is an issue that the online advertising industry needs to be thinking about.”

The report points out a number of malicious ways this information could be used. A business could use the location ads to track business meetings with a venture capital firm, for instance. The app-specific information could also be extremely sensitive if applied to pregnancy trackers or dating apps.

“Anyone from a foreign intelligence agent to a jealous spouse can pretty easily sign up.”

The system works by tracking a user’s mobile advertising ID (MAID) number, which is meant to be secret but researchers say is easy to discover. The numbers are often sent to ad exchanges unencrypted and can be obtained through Wi-Fi sniffing.

“Anyone from a foreign intelligence agent to a jealous spouse can pretty easily sign up with a large internet advertising company and on a fairly modest budget use these ecosystems to track another individual’s behavior,” said author Paul Vines, a recent UW doctoral graduate.

It’s hard for users to mitigate ad targeting attacks without completely swearing off the internet and mobile apps, but it would be easier for ad networks to take action. The paper suggests ad networks reset identifiers more often and actively scan for malicious ad-buyers, although even those methods wouldn’t solve the problem completely.