Google Play Sign-Ins Allow Covert Location-Tracking

Google Play Sign-Ins Allow Covert Location-Tracking

]

A design flaw involving Google Timeline could allow someone to track another device without installing a stalkerware app.

It’s possible to track someone’s user location via Google Play sign-ins, a researcher has discovered – a potential stalker avenue that, so far, the internet behemoth has yet to address.

“With the aid of Google I was able to ‘spy’ on my wife’s whereabouts without having to install anything on her phone,” said Malwarebytes Labs researcher Pieter Arntz, in a Wednesday posting. “In my defense, this whole episode happened on an operating system that I am far from an expert on (Android), and I was trying to be helpful. But what happened was unexpected.”

In short: Arntz logged into his Google Play account from his wife’s phone, in order to pay for an app that that she wanted to install. Then he handed the phone back to her, forgetting to log out. And that’s when the weirdness started.

Google Timeline for Good and Evil(ish)

“I was investigating how much information the Google Maps Timeline feature was gathering about me,” Arntz explained. “The timeline is an often-overlooked Google feature that ‘shows an estimate of places you may have been and routes you may have taken based on your Location History.’ I was curious to see what Google records about me, even though I never actively check in or review places.”

In the course of looking at the timeline, he started noticing that Google was marking him down at places he hadn’t visited that day. After wondering if it was a glitch, one update came through showing a location that he knew his wife had been to.

“Suddenly, it dawned on me: I was actually receiving location updates from my wife’s phone, as well as mine,” he said.

Thinking that logging out of Google Play on his wife’s phone would resolve the issue, Arntz was surprised to see that Google automatically added his account to his wife’s phone.

“After some digging I learned that my Google account was added to my wife’s phone’s accounts when I logged in on the Play Store, but was not removed when I logged out after noticing the tracking issue,” he said – forcing the need to manually remove his account from settings.

Making matters even worse, it’s almost unnoticeable if this situation is in play, he added – there’s no indication other than a barely noticeable icon when Google Play is opened:

“The only thing that might have alerted my wife to this unintentional surveillance—but never did—was my initial in a small circle at the top right corner of her phone, when she used the Google Play app,” he explained. “You have to touch the icon to see the full details of the account that is logged in.”

Bottom line? Google will record the location of whatever phone a person has logged into. So, it’s not even necessary for someone to install one of the insidious stalkerware apps that have flooded the marketplace in order to keep tabs on where someone has been, making covert surveillance by, say, a controlling partner or estranged spouse all the easier to carry out.

“This really is a low-effort method of spying on someone’s whereabouts,” Arntz nutshelled. “Plus, you do not need to install anything and there is only a minimal chance of being found out.”

One more potential concern, the researcher added, and it’s an ominous one:

“While this post talks about Google Maps location information, I’m pretty sure there will be other apps that are linked to your account rather than to your phone,” he said. “Those apps could be queried for information by people other than the owner of the phone if they are logged into Google Play.”

Feature or Bug? Potential Fixes for Google

Arntz said that he submitted a bug report to Google, but he’s not hopeful it will address the potential for misuse.

“I’m afraid they will tell me that it is a feature and not a bug,” he said. “[But] there are a few things that Google could improve here.”

That includes ensuring that Timeline gathers data only on the phones it’s actually enabled on.

“Google timeline was enabled on my phone, not on my wife’s, so I feel I should not have received the locations visited by her phone,” Arntz said.

Another easy fix would be to send an alert to the user that the phone’s location is being shared to a different phone with Timeline enabled – or, at the very least, that someone else logged into Google Play from one’s device.

“When I logged in under my account on her Google Play, I got a ‘logged in from another device’ warning,” the researcher said. “I feel there should have been something similar sent to her phone. Something along the lines of ‘someone else logged into Google Play on your phone.’”

Tech Abuse on the Rise

While the situation doesn’t represent a by-design attempt to work around a user’s consent, it’s still a design and user-experience flaw, Arntz noted.

“We should be very clear here…this situation is not a form of stalkerware,” he explained. “However, it is still a flaw that can and should be called out, because the end result can still provide location tracking of another person’s device.”

The potential abusive misuse of legitimate technology should be of concern for Google and any other app provider, according to Eva Galperin, director of cybersecurity for Electronic Frontier Foundation (EFF).

The flaw “does highlight the importance of quality assurance and user testing that takes domestic abuse situations into account and takes the leakage of location data seriously,” Galperin said. “One of the most dangerous times in a domestic abuse situation is the time when the survivor is trying to disentangle their digital life from their abusers’. That is a time when the survivors’ data is particularly vulnerable to this kind of misconfiguration problem and the potential consequences are very serious.”

Google did not immediately return a request for comment.

Arntz added, “Of course, a cynic might say that the fundamental obstacle here is that if your business model demands that you hoover up as much information about somebody as possible, the opportunities for this kind of unintentional, tech-enabled abuse are likely to increase.”

How to Prevent Google-based Surveillance

The only way for users to make sure they’re not being tracked from another phone via Timeline (or any other location-sharing app) is to check which accounts have been added to one’s phone.

This can be done by going to Settings > Accounts and Backups > Manage Accounts. There will be a list of Google accounts linked to the phone, and users can click on the accounts they want to remove.

“After removing my account from there on my wife’s phone the tracking issue was finally resolved,” Arntz noted.

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Want to transfer Google Photos from one account to another account? Here’s how you can do it

]

Google Photos is a great inbuilt feature developed by Google for sharing photos and videos and even storing them on devices. It uses its proprietary image-analysis technology to organize photos and also provides free unlimited storage for users who want to back up their images in high quality.

However, if you have multiple Google accounts and want to transfer all your Google Photos from one account to another, you can follow the steps given below.

Here’s how to transfer Google photos manually

In this method, you’ll have to first download all the Google photos from the first account and then upload them to the new account.

Step 1: Open a browser on your computer.

Step 2: Go to the Google photos’ website. Then, log in to your first account.

Step 3: Now, click on the first picture and scroll down till the end.

Step 4: Then, press the ‘Shift’ button and click on the last picture. Doing this will select all the pictures.

Step 5: Now, click on the three dots given at the top right corner of the screen and click on the ‘Download’ button.

Step 6: Once all the photos are downloaded, sign out from this account.

Step 7: Login into your second Google account using your credentials.

Step 8: Now, select all the photos and click on ‘upload to Google photos.’ It may take a while for all the photos to be uploaded.

Add a partner account to transfer Google photos

Step 1: Open the Google Photos app on your smartphone.

Step 2: Click on the three-bar icon given at the top left corner. Then, select the option ‘Settings’.

Step 3: Now, tap on the ‘Shared Libraries’ option and click on ‘Get Started’.

Step 4: On the next page that opens, you’ll be required to enter the email address of your second account.

Step 5: Select ‘All Photos’ and click on the ‘Send Invitation’ button. After this, use your second account to accept the invitation.

Step 6: Now, click on the ‘Sharing’ tab given at the bottom left corner of the screen.

Step 7: Select the library of your first Google account and then tap on the overflow button (three dots).

Step 8: Then, select the ‘Settings’ option and tap on ‘Save to your library’. Lastly, choose ‘All Photos’. This will save all your Google photos to the new account.

Here’s how to use shared albums to transfer Google photos

Step 1: Open the Google Photos app on your smartphone.

Step 2: Select the ‘Albums’ tab given at the bottom of the screen.

Step 3: Now, open the album which you want to transfer. Then, tap on the ‘Share’ button given at the top of the screen.

Step 4: You’ll then need to enter the email address with which you want to share the selected album. After this, click on the ‘Send’ button.

Step 5: Now, open Google Photos on your second account and head to the ‘Sharing’ section.

Step 6: Select all the photos and then tap on the ‘Add to library’ icon given at the top of the screen. All your Google photos will be added to the new account.

READ MORE | Google Photos storage Management Tool: Important things you should be aware about Google photos

READ MORE | How to clean up storage on Google Photos, check here

How to Move YouTube Content to a New Google Account

]

You have multiple Google accounts, an old one and a new one. You want to retire the old one and use just the new one. That means you need to transfer a bunch of items from one to the other. We’ve already covered the process of merging two separate Gmail accounts. But what about all your content on Google-owned YouTube?

Maybe you subscribe to YouTube channels to watch your favorite videos. Or perhaps you post YouTube videos through your own channel. Either way, you need to move all your YouTube subscriptions, channels, and videos from your old account to the new one.

Unfortunately, Google doesn’t make it easy to migrate information from one account to the other. If the goal is to move or recreate your YouTube subscriptions, playlists, channels, and videos from your old account to the new one, prepare to get your hands dirty.

As of right now, power users and content creators alike will need to do a lot of the data migration manually. The process requires several steps and takes some effort, but it is doable.

Move Your Subscriptions

The first task you may want to undertake is to move all your YouTube channel subscriptions from the old account to the new one. There used to be a couple of ways to automate the export and import process, but those methods no longer work.

You can do this manually if you click the Subscriptions icon and then click Manage to see a list of all your subscriptions. You can then open another browser, sign into your new account, and go through the list, re-subscribing to each entry.

Another option is to use Google Takeout to export your subscription list as a CSV file with links for each subscription that you can open in your new account. To do this in YouTube under your old account, click your profile icon in the upper right and select Your data in YouTube, then click Download YouTube data under the Your YouTube dashboard heading.

At the Google Takeout page, select the data you want to be included. Click All YouTube data included, then deselect everything on the list except Subscriptions. Click OK and then click Next step. Make sure frequency is set to Export once and then click the Create export button.

Since you’re exporting only your subscriptions, the process should take just a few seconds. Click the Download button and then save the ZIP file to your computer.

Extract the downloaded ZIP file. Drill down through all the folders until you find the subscriptions.csv in the subscriptions folder. Open that file in Excel and expand the width of the columns. The second column contains the URLs for each of your subscriptions.

Sign into your new Google account in your browser. Copy and paste each URL from the CSV file in your browser’s address field. You can then click the Subscribe button for each channel.

Move Your Playlist

You may want to transfer videos saved under your old YouTube account. In order to do this, those videos must be saved as a playlist. Click any of the categories on the left-hand menu, such as Library, History, Watch later, and Liked videos. You can then click the three-dot icon next to a video you want saved to a playlist and select Save to playlist.

Create a new playlist or use an existing one, then select the playlist you wish to use. From the playlist page, click the drop-down arrow to make the playlist set to Unlisted or Public (not Private). Click the Share icon and copy the URL for your playlist.

Open a different browser and sign into your new YouTube account. Paste the URL from the playlist into the address field. Click the Save playlist icon, and your playlist is saved under your new account.

Transfer Your YouTube Channel

If you are a content creator with videos posted to your own channel, you can transfer to a Brand account and then move ownership over to a new Google Account. Set this up under your old YouTube account by clicking your profile icon and choosing Settings.

In the Account section of your Settings page, click the Add or manage your channel(s) link, then click the Create a Channel button.

Type a name for your new Brand channel, then check the box underneath the name field, and click the Create button.

Sign back into YouTube with your old Google account. Go to Settings > Advanced settings, then click the Move channel to a brand account link.

At the next screen, confirm that the new Brand account appears at the bottom of the Account screen and click the Replace button.

A pop-up window will ask you to confirm the deletion of your old account. Check the box, then click the Delete Channel. At the next window, click the Move Channel option.

Sign out of YouTube and then sign back in with your old account. At the window prompting you to select a channel, click the Brand account you just created.

Go to Settings > Account and click the Add or remove manager(s) link to begin the process of connecting your new account to the new Brand account.

Click the Manage Permissions button, then click the Invite new users icon in the upper-right corner. You can then enter the email address of your new Google Account in the field. Choose a role from the drop-down menu and set it to Owner. Click Invite, then click Done.

Check your email with your new Google account and look for the invitation message. In that message, click Accept Invitation. At the Accept Invitation page, click the Accept button.

Your next step is to make your new account the primary owner, though Google will make you wait seven days before you can do this. Once the seven days are up, sign into the Brand account page for your new Google account. Choose your account at the bottom of the page and click the Manage This Account button.

Click Manage Permission, then click the drop-down arrow next to your new account and change the role to Primary Owner. Click Transfer > Done to complete the task.

Transfer Your Videos

Your final step is to transfer the videos you’ve published through your channel from your old account to your new one. There are multiple ways to do this, but it’s easiest to just download them from your old Google account and upload them to the new one. Unfortunately, you’ll have to download them one at a time.

From your old account, select Your Videos to go to YouTube Studio. Click the three-dot icon next to each video, select Download, and save them to your computer.

Sign into your new Google account and select Your Videos to go to YouTube Studio. Click the Upload Videos button, then click the Select Files button and select all the videos or simply drop them into the upload window. Your videos will upload one at a time.

After the videos are uploaded, they’re still in draft mode, which means you have to add certain details to them before they go live. Click the Edit Draft link next to each video. Review each screen to fill in any necessary information, such as a description, audience, and viewing mode (private, unlisted, or public). Click Save, and your mission is complete.