Continuous collection of GPS location

Description

The application continuously accesses and collects the device's GPS location. GPS tracking is subject to compliance requirements and is subject to strict restrictions under certain jurisdictions.

GPS tracking may also be abused by malware or attackers who gained access to the device with the permissions of the application.

Recommendation

To enable continuous GPS tracking, it is recommended:

Notify user of the reason requiring GPS tracking with the possibility for users to opt-out.
Avoid storage of GPS location locally, and if needed to, encrypt GPS with device-specific key.

Links

Standards

OWASP_MASVS_L1:
- MSTG_NETWORK_1
OWASP_MASVS_L2:
- MSTG_NETWORK_1
PCI_STANDARDS:
- REQ_6_2
OWASP_MASVS_v2_1:
- MASVS_PRIVACY_1
- MASVS_PRIVACY_2
- MASVS_PRIVACY_3
- MASVS_PRIVACY_4