Mobile carriers have the ability to silently retrieve exact GPS coordinates from any smartphone without the user's knowledge of the operating system, notification, or consent. Control-plane positioning at the baseband processor level is made possible by cellular protocols RRLP (Radio Resource Location Protocol) and LPP (LTE Positioning Protocol), which totally circumvent location permissions on iOS and Android. The Design of the Invisible Tracking Flowchart for RRLP location request signaling in 3G networks from GMLC to SMLC and mobile station Modern smartphones contain two distinct processors: the application processor (AP) running the operating system and apps, and the baseband processor (BP) managing cellular modem firmware and radio communications.

These processors operate in isolation, with the baseband functioning as a proprietary black box running its own real-time operating system.

Carriers never notify the application processor that enforces user permissions when they send location requests; instead, they communicate directly with the baseband processor via control-plane signaling channels used for network infrastructure management. While iOS and Android location permissions, Location Services toggles, VPNs, and firewalls function at API and IP layers that control-plane signaling completely avoids, airplane mode completely blocks cellular connectivity. Without OS supervision, the baseband processor continues to have direct hardware access to GPS chipsets.

Apple’s iPhone 16e featuring the custom C1 modem represents the first genuine mitigation. iOS 26 introduces Location Privacy features providing visibility into control-plane requests, user consent prompts, and options to downgrade precise GPS to coarser cell-tower estimates.

However, since Google uses Qualcomm and MediaTek basebands, this protection is limited to devices with Apple's proprietary modem, cannot prevent E911 emergency location responses, and has no Android equivalent.