This work proposes a zero-permission attack that infers users’ coarse-grained location types without requiring any location permissions, leveraging only magnetic field signals collected by a smartphone’s built-in magnetometer. By formulating the task as a time-series classification problem, the authors develop a recognition model and validate it using nearly 70 hours of in-the-wild data gathered across 66 real-world locations. The approach achieves classification accuracies of 40.5% and 39.5% under unknown-location and cross-device settings, respectively—substantially outperforming the 16.7% random baseline. These results expose a critical vulnerability in current operating systems’ location privacy protections and offer a novel perspective on sensor-based privacy threats.

Location information extracted from mobile devices has been largely exploited to reveal our routines, significant places, and interests just to name a few. Given the sensitivity of the information it reveals, location access is protected by mobile operating systems and users have control over which applications can access it. We argue that applications can still infer the coarse-grain location information by using alternative sensors that are available in off-the-shelf mobile devices that do not require any permissions from the users. In this paper we present a zero-permission attack based on the use of the in-built magnetometer, considering a variety of methods for identifying location-types from their magnetic signature. We implement the proposed approach by using four different techniques for time-series classification. In order to evaluate the approach, we conduct an in-the-wild study to collect a dataset of nearly 70 hours of magnetometer readings with six different phones at 66 locations, each accompanied by a label that classifies it as belonging to one of six selected categories. Finally, using this dataset, we quantify the performance of all models based on two evaluation criteria: (i) leave-a-place-out (using the test data collected from an unknown place), and (ii) leave-a-device-out (using the test data collected from an unknown device) showing that we are able to achieve 40.5% and 39.5% accuracy in classifying the location-type for each evaluation criteria respectively against a random baseline of approximately 16.7% for both of them.