Continuous collection of GPS location

Description

The application continuously accesses and collects the device's GPS location. GPS tracking is subject to compliance requirements and is subject to strict restrictions under certain jurisdictions.

GPS tracking may also be abused by malware or attackers who gained access to the device with the permissions of the application.

Recommendation

To enable continuous GPS tracking, it is recommended:

Consult legal counsel on the legality of GPS tracking
Notify user of the reason requiring GPS tracking with the possibility for users to opt-out
Avoid storage of GPS location locally, and if needed to, encrypt GPS with device-specific key

Links

Standards

OWASP_MASVS_L1:
- MSTG_NETWORK_1
OWASP_MASVS_L2:
- MSTG_NETWORK_1
PCI_STANDARDS:
- REQ_6_2