Many popular location-based social networks (LBSNs) support built-inlocation-based social discovery with hundreds of millions of users around theworld. While user (near) realtime geographical information is essential toenable location-based social discovery in LBSNs, the importance of userlocation privacy has also been recognized by leading real-world LBSNs. Toprotect user's exact geographical location from being exposed, a number oflocation protection approaches have been adopted by the industry so that onlyrelative location information are publicly disclosed. These techniques areassumed to be secure and are exercised on the daily base. In this paper, wequestion the safety of these location-obfuscation techniques used by existingLBSNs. We show, for the first time, through real world attacks that they canall be easily destroyed by an attacker with the capability of no more than aregular LBSN user. In particular, by manipulating location information fed toLBSN client app, an ill-intended regular user can easily deduce the exactlocation information by running LBSN apps as location oracle and performing aseries of attacking strategies. We develop an automated user location trackingsystem and test it on the most popular LBSNs including Wechat, Skout and Momo.We demonstrate its effectiveness and efficiency via a 3 week real-worldexperiment with 30 volunteers. Our evaluation results show that we couldgeo-locate a target with high accuracy and can readily recover users' Top 5locations. We also propose to use grid reference system and locationclassification to mitigate the attacks. Our work shows that the currentindustrial best practices on user location privacy protection are completelybroken, and it is critical to address this immediate threat.
展开▼
