There is a gap in the mental model most developers carry about mobile privacy, and a recent deep-dive by a cellular network engineer makes it concrete. The assumption is something like: location is a permission, the OS controls it, if the user denies it then the app doesn’t get it. That assumption is correct for the application layer. It does not apply to the carrier.
The location services stack in a modern LTE or 5G network is a full 3GPP-standardized subsystem, designed primarily for emergency services (E911 in the US) and lawful interception, that operates entirely in the signaling plane below the IP layer. When a network entity requests your location through this path, the modem firmware handles it. The Android or iOS location permission framework is not consulted, because those frameworks live in a completely different software environment.
The Architecture: LCS, GMLC, and the E-SMLC
In LTE, the Location Services (LCS) architecture is defined in 3GPP TS 23.271. The key components are:
- GMLC (Gateway Mobile Location Centre): the network entity that receives location requests from LCS clients (emergency dispatch, law enforcement, commercial services with data agreements) and routes them inward.
- E-SMLC (Evolved Serving Mobile Location Centre): sits closer to the radio access network, coordinates the actual positioning measurements, and terminates the LPP (LTE Positioning Protocol) toward the device.
- LPP (TS 36.355): the ASN.1-encoded protocol that the E-SMLC uses to communicate directly with the device’s modem, requesting measurements or delivering assistance data.
In 5G NR, the E-SMLC is replaced by the LMF (Location Management Function), and the positioning protocol annex toward the gNB is NRPPa (TS 38.455), but the fundamental architecture is the same.
LPP messages travel over the NAS (Non-Access Stratum) signaling plane, encapsulated in RRC (Radio Resource Control) messages or NAS transport. This is the same layer that handles attach procedures, authentication, and handover signaling. It has nothing to do with the IP stack the OS sees.
The Method Ladder
The network has a range of positioning techniques available, with different accuracy, latency, and device-cooperation requirements:
Cell-ID is the floor. The network already knows which cell a device is camped on; it looks up that cell’s coordinates in a database (OpenCelliD, internal carrier data). Accuracy ranges from roughly 50 meters in a dense urban small cell to 35 kilometers in a rural macro cell. No signaling to the device is needed.
Enhanced Cell-ID (E-CID) refines Cell-ID using Timing Advance values. The base station sends TA commands to synchronize uplink transmissions; in LTE, one TA unit corresponds to roughly 500 meters of round-trip distance. Combined with the cell sector’s azimuth and beamwidth, this constrains the device to an arc rather than a full circle around the tower. Add neighbor cell RSRP measurements and you get 50 to 300 meters in urban environments, entirely from passive observation of normal uplink traffic.
OTDOA (Observed Time Difference of Arrival) is an active downlink method defined in TS 36.305. The network schedules PRS (Positioning Reference Signals) from multiple base stations; the device measures the arrival-time difference between them and reports RSTD values back. The E-SMLC solves the resulting hyperbolic equations. Accuracy is theoretically 10 to 50 meters in a synchronized network, typically 50 to 200 meters in practice. The device participates in measurement, but only modem firmware is involved.
UTDOA (Uplink Time Difference of Arrival) inverts this: LMUs (Location Measurement Units) co-located with base stations measure the arrival time of the device’s uplink SRS (Sounding Reference Signals). The device does nothing special. No device cooperation whatsoever is needed. This is the method most relevant to lawful interception of legacy devices.
A-GNSS via LPP Control Plane is the most accurate method, capable of 3 to 15 meters outdoors. The network delivers GPS almanac, ephemeris, coarse position, and timing assistance down to the modem via LPP messages, reducing TTFF from 30 to 45 seconds to 1 to 3 seconds. The modem’s GNSS chip acquires a fix and reports it back via LPP. The entire exchange happens in NAS signaling. The OS sees none of it.
The SUPL Distinction
A-GPS also operates via SUPL (Secure User Plane Location), an OMA standard that delivers assistance data over HTTPS to a TCP/IP socket. This path does involve the IP stack and is therefore, in principle, visible at the OS layer. Android and iOS use SUPL for consumer A-GPS. The SUPL server address is provisioned via OMA Device Management, often in the SIM.
The distinction matters: SUPL is the path consumers interact with, and it carries at least some possibility of OS-level inspection. LPP over the control plane is the path carriers and law enforcement use, and it is opaque to the OS by design. Both can deliver the same GPS-level accuracy. Only one is below the permission dialog.
What Happened When This Infrastructure Met the Market
The E911 requirements that drove deployment of all this positioning infrastructure also created a real-time location API inside every major US carrier. In 2018, Motherboard’s Joseph Cox reported that a bounty hunter had tracked a phone in real time using a system sold by Securus Technologies, which sourced location from LocationSmart, which had data agreements with all four major US carriers. The location was accurate to roughly 100 meters. No warrant. No notification to the device.
Security researcher Robert Xiao then discovered that LocationSmart’s demo API was completely unauthenticated. Anyone could POST a phone number and retrieve the subscriber’s current location from the carrier network. The entire consent mechanism was a text message that, if dismissed, proceeded to deliver the location anyway after a timeout.
The FCC fined the carriers in 2020: AT&T $57 million, T-Mobile $80 million, Sprint $12 million, Verizon $48 million. The fines were not for having built this infrastructure, which exists for legitimate emergency use. They were for failing to adequately control the resale chain downstream. The technical capability was never the problem in the FCC’s framing; the commercial distribution of access to it was.
SS7 and the Legacy Layer
For GSM and UMTS subscribers, there is an older and messier attack surface. SS7 (Signaling System No. 7) is the protocol suite that routes calls, SMS, and roaming signaling between carriers globally. It was designed in the 1970s with a trust model that assumes every participant is a legitimate telecom. There is essentially no authentication between SS7 nodes.
The MAP ATI (Any Time Interrogation) message, originally for billing purposes, asks a subscriber’s Home Location Register for their current serving MSC address and cell-ID. If the target carrier does not filter unsolicited ATI queries, the response reveals the subscriber’s location to cell-ID precision. In 2014, Karsten Nohl and Tobias Engel demonstrated at the Chaos Communication Congress that this attack worked against most global carriers. The target device receives no indication at all.
Diameter, which replaced SS7 MAP in LTE, has analogous vulnerabilities documented by Positive Technologies, and many carriers bridge between the two via gateways, keeping SS7 pathways alive alongside newer infrastructure.
What 5G Changes
3GPP Release 16 introduced the SEPP (Security Edge Protection Proxy) for inter-carrier N32 signaling in 5G NR. The N32 interface uses HTTP/2 with TLS and JOSE (JSON Object Signing and Encryption), providing cryptographic authentication between carrier networks. This closes the SS7 trust-by-network-topology problem for 5G NR inter-carrier roaming.
Release 16 also substantially expanded positioning, adding DL/UL-TDOA with PRS, DL-AoD (using massive MIMO beamforming), UL-AoA (measuring arrival angle at the gNB antenna array), and Multi-RTT bidirectional ranging. The stated accuracy targets are sub-meter horizontally for indoor use cases, driven by industrial IoT and autonomous vehicle requirements.
What 5G does not change: LPP control-plane location delivery still operates below the OS in 5G NR, exactly as it does in LTE. Network-initiated A-GNSS via LPP remains invisible to Android and iOS. And as long as devices fall back to LTE or 3G for coverage or roaming, the SS7 and Diameter attack surfaces remain accessible.
The Structural Reality
The same infrastructure that makes it possible for emergency dispatch to locate a 911 caller in a building is the infrastructure that carriers sold access to via data broker agreements, that law enforcement queries via CALEA interfaces, and that SS7 attackers exploit via ATI from rogue nodes. These are not separate systems. They are the same GMLC, the same LPP protocol stack, the same positioning measurements, accessed through different front doors.
The technical article that prompted the Lobsters discussion is valuable precisely because it treats this as an engineering problem rather than a policy one. Understanding the LCS architecture, the LPP message flows, and the relationship between E-SMLC and E-CID/OTDOA/A-GNSS methods makes it clear that the privacy properties of cellular location are determined by network architecture and carrier policy, not by anything the device OS can enforce. The permission dialog is a useful tool for managing app access to GNSS. It says nothing about what the network already knows.