How can we identify and/or spoof cell triangulation trackers on Android?

Probably nobody knows anything about this, least of all me, so it's OK if
this thread has nobody adding any value but me (that's normal for Usenet).

However, given Usenet is a team sport, someone might know the answers.
For example, we recently learned a lot from Jeff Layman over here:
*Fused.location*, by Jeff Layman (Jan 24, 2022)
<https://groups.google.com/g/comp.mobile.android/c/n5U6mJHr6oM>

So maybe someone knows more than I do about cellular triangulation spoofing.
*Fighting unconstitutional stingray surveillance tracking innocent people*
<https://www.computerworld.com/article/2473483/fighting-unconstitutional-stingray-phone-surveillance-that-tracks-innocent-people.html>

The background is that they can track us by a variety of methods:
(but most of them are easily disabled or spoofed on Android)
a. GPS is easily spoofed
b. Wi-Fi can easily be set to _not_ report _any_ nearby access points
c. Cellular geolocation is highly unlikely by apps
d. IP Address geolocation isn't accurate & won't be accurate with VPN
e. Bluetooth is easily disabled (e.g., bluetooth beacons)
f. Camera's are hard to avoid though (but they can be found by IR)
g. What other location tracking methods exist?

This question is about identifying and/or spoofing cellular triangulation.
*Accuracy Characterization of Cell Tower Localization*
<https://www.researchgate.net/publication/221568410_Accuracy_Characterization_of_Cell_Tower_Localization>
"Cell tower triangulation methods require the knowledge of
the actual location of cell towers. Because the locations
of cell towers are not publicly available, these methods
often need to use estimated locations obtained through
wardriving. The results show that naively applying these
methods results in very large localization errors."

Do you know of any free Android apps that _detect_ fake cell towers?
*17 fake cell towers discovered in one month*
<https://www.computerworld.com/article/2600348/are-your-calls-being-intercepted-17-fake-cell-towers-discovered-in-one-month.html>

Do you know of any free Android cell tower triangulation spoofing apps?

Andy Burnelli wrote:

> The background is that they can track us by a variety of methods:
> (but most of them are easily disabled or spoofed on Android)
> a. GPS is easily spoofed
> b. Wi-Fi can easily be set to_not_ report_any_ nearby access points

can it? even with wifi "off" the phone can still use the radios for location,
rather than for communication, there used to be a setting to make "off" mean
"really off" but I can no longer see it, and why should you trust it?

> c. Cellular geolocation is highly unlikely by apps

true but "they" can do it from the network side.

On Fri, 11 Feb 2022 09:07:17 +0000, Andy Burns wrote:

>> b. Wi-Fi can easily be set to_not_ report_any_ nearby access points
>
> can it?

Hi Andy,

I hadn't expected anyone to even comprehend the topic, let alone ask
questions, although your question isn't about the cellular tower tracking.

As for Wi-Fi tracking, I believe the answer is yes, and, better yet, I
believe I have personally implemented that "Yes" (much unlike a nospam yes).

> even with wifi "off" the phone can still use the radios for location,
> rather than for communication, there used to be a setting to make "off" mean
> "really off" but I can no longer see it, and why should you trust it?

I believe I turned off wi-fi tracking on my phone, but what you & I mean by
wi-fi tracking may or may not be the same thing since it's multiple steps.

Bear in mind that you're probably not even thinking of some of the things
I've disabled already, such as having my own phone not shout out all the
hidden AP's that are set inside of it when I'm away from home (which is no
small feat as you have to understand the process to understand that fix).

I suspect you are aware there are _hidden_ uploads of wifi information, incl
a. The time of day on the phone;
b. the location of the phone (usually via gps but maybe not always);
c. the signal strength of all visible access points (i.e., not hidden);
d. the bssid of those visible (not hidden) access points;
e. the ssid of those visible (not hidden) access points;
f. And some other information which is stored up the uploading log.

If you're asking about that, I have taken steps to turn all that off, Andy.
Is _that_ what you're asking about?

Because I've also set up my home access points not only with _nomap (which
doesn't do anything with respect to uploads) but also to be "hidden" (which,
as we all know, isn't for security but for privacy since they're ignored).

BTW, long ago, Google was caught uploading that information even if you had
it turned off, but Google said that was a bug which they long ago fixed.

Also they used to collect all visible access points (again, not hidden) via
the Google Electronics Car but they also said they stopped that practice.

>> c. Cellular geolocation is highly unlikely by apps
>
> true but "they" can do it from the network side.

Well, maybe it's not true. I don't know.
It was when nospam claimed it was likely that I opened this thread.

I don't care if it's likely or not, nor do I care if nospam is wrong (he
almost always is wrong); but I do care about learning about privacy.

In the PDF I posted (see URL in sig), the abstract says these 5 things:
a. To triangulate cell towers, you need an accurate cell tower location
b. There is no accurate cell tower location lookup available to the public
c. However, wardriving data allows an "estimate" of cell tower locations
d. If you're not careful, wardriving methods are highly inaccurate
e. But if you're careful, and if you limit the scope, they can be accurate

Notice it's a chicken-and-the-egg scenario.
You need cell tower locations in order to use them to triangulate location.

The authors found that the public sources of cell tower locations sucked.
They found that even AP location errors were on the order of 40 meters.
They said celltower localization was worse due to greater system complexity.

They obtained the actual location of 54 Los Angeles cell towers.
Applying naive algorithms to a wardrive trace resulted in 40km errors! (WTF)
They found that the only hope you have is for celltowers bounded by a trace.
Their restricted algorithm reduced the localization errors by one half.

They collected three traces between February & March of 2009 by wardrivers.
a. Downtown LA
b. Residential LA
c. Rural Victor Valley in San Bernardino County

At 2 second intervals at 32kmph they collected 2,613,465 RS readings from
105,271 uniqu3e locations, averaging 25 RSS readings per location.

They were aware of every cell attached to a tower, where there can be 2, 3,
or 6 cells per tower, which is information they had obtained beforehand.

They found both these common algorithms "performed very poorly" overall:
a. Strongest RSS (fails when the tower isn't close to the roadway)
b. Weighted Centroid (geometric centers, weighted by signal strength)

The median error in the downtown area, for example, was found to be:
a. Strongest RSS = 2.75km median error
b. Weighted Centroid = 2.83km median error

The performance in rural areas was vastly different due likely, they said,
to the fact that the towers are most likely closer to the roadways.
a. Strongest RSS = 7.0km median error
b. Weighted Centroid = 0.7km median error

Their conclusion was that "blindly applying these algorithms to estimate
cell tower positions results in very large errors."

There was more, but that's a quick summary up to the point that they delved
into the reasons for the estimation errors, and how they'd eliminate them.

After they looked at the cause of the errors, they concluded "that one can
_hope_ to locate a cell accurately _only_ if it falls within the area
covered by the wardriving trace", and then they proposed ways to do that.

Bear in mind, while they claim it's the first study of its scale, it was
published in 2010 so it's using ancient technology of its day at that time.
--
*Accuracy Characterization of Cell Tower Localization*
<https://www.researchgate.net/publication/221568410_Accuracy_Characterization_of_Cell_Tower_Localization>

In article <su750t$g7m$1@gioia.aioe.org>, Andy Burnelli
<spam@nospam.com> wrote:

>
> > even with wifi "off" the phone can still use the radios for location,
> > rather than for communication, there used to be a setting to make "off"
> > mean
> > "really off" but I can no longer see it, and why should you trust it?
>
> I believe I turned off wi-fi tracking on my phone,

you believe incorrectly.

>
> I suspect you are aware there are _hidden_ uploads of wifi information, incl

which you can't turn off.

> a. The time of day on the phone;
> b. the location of the phone (usually via gps but maybe not always);
> c. the signal strength of all visible access points (i.e., not hidden);
> d. the bssid of those visible (not hidden) access points;
> e. the ssid of those visible (not hidden) access points;
> f. And some other information which is stored up the uploading log.

hidden bssids are included.

> >> c. Cellular geolocation is highly unlikely by apps
> >
> > true but "they" can do it from the network side.
>
> Well, maybe it's not true. I don't know.

you do not.

> In the PDF I posted (see URL in sig),

wrong place to put it.

> the abstract says these 5 things:

the big takeaway is that you don't understand it.

> a. To triangulate cell towers, you need an accurate cell tower location
> b. There is no accurate cell tower location lookup available to the public

the fcc database is public record and some cell towers announce their
lat/long location. it also doesn't matter since that info is not
needed.

> c. However, wardriving data allows an "estimate" of cell tower locations
> d. If you're not careful, wardriving methods are highly inaccurate
> e. But if you're careful, and if you limit the scope, they can be accurate

> Notice it's a chicken-and-the-egg scenario.
> You need cell tower locations in order to use them to triangulate location.

many words to say you don't know how it works.

>
> The median error in the downtown area, for example, was found to be:
> a. Strongest RSS = 2.75km median error
> b. Weighted Centroid = 2.83km median error

for many things, it's more than sufficient.

weather, for example, only needs to know the general area. a ~3km
location is perfectly fine.

> The performance in rural areas was vastly different due likely, they said,
> to the fact that the towers are most likely closer to the roadways.
> a. Strongest RSS = 7.0km median error
> b. Weighted Centroid = 0.7km median error

that's still good.