iOS/Android: If you're worried about apps tracking your location, it's not enough to limit your location sharing. You need to limit camera-roll sharing too. If you've ever given an app access to your camera roll - to take photos, or store screenshots, or any given reason - you've also let it see where all those photos were taken. Felix Krause, an iOS developer and security writer, built an app to demonstrate this back door:
Well she sneaks around the world from Kiev to Carolina
— Felix Krause (@KrauseFx) September 27, 2017
Krause's iOS app DetectLocations shows you just how much apps can learn about your past (and future) location through your photos' EXIF data. Grant it camera access and it will show you where you took all your photos, whether you were in a vehicle when you took them, and your likely routes between each photo location.
You can limit access to past photo data by moving everything out of your camera roll before you grant an app permission. But that won't stop an app from spying on any photos going forward.
If that freaks you out, you can prevent this by disabling geotagging on your photos. As we explained in 2014, Android users can turn off geotagging in their camera settings; iOS users can turn it off in their privacy settings. Of course, then you won't be able to make photo maps. There's no granular setting to disable geotagging for third-party apps.
Of course, if you're already fine with sharing your location with Google and Facebook at all times, you might be fine with handing it over to any app that wants access to a photo or two. It's just good to be aware of how much information you're giving up.
Krause's blog is full of helpful, scary security hints like this. His most recent post shows how if you're not careful, any iOS app could steal your Apple ID password. Cool cool cool.