Many types of data generated and stored by a phone are not considered sensitive by developers, and apps do not need to ask for a permission to access it. For example, a time zone, device IP address, and network status can be accessed without permission, as well as the accelerometer, magnetometer (which measures the angle between the phone's heading and north), or barometer.
Combined with the information from maps, timetables, and various databases, the sensors’ data may reveal if a user travels by train, or an airplane, or drives a car, and where exactly he or she goes.
The researchers state, that the combination of data sources provided user tracking "comparable to GPS" on their iPhone 6, iPhone 6S and Galaxy S4 i9500 test devices.
Actually, the approach is not new. Security experts regularly demonstrate how innocent sensor or open source data can reveal private details of a phone owner’s life.
Back in 2014, for example, it was demonstrated how the access to the gyroscope and accelerometer can help identify a person by the patterns of his walking. Besides, the gyroscope can be used as a microphone, though not a precise one, and let a hacker listen to conversations near the phone.
In 2015 other researchers showed how the information about apps’ battery usage can be utilized for tracking a phone’s location.
Most of these techniques are more of a demonstration than an actual threat. They demand a lot of complicated activities and analysis, and the resulting information is not accurate and needs to be combined with yet other data. If you are not a politician or a movie star, you are quite unlikely to become their victim, at least until they become easier to embody.
But it is better to be safe than sorry, so do not install dubious apps from unknown developers, and carefully manage app permissions: if a flashlight app asks for the access to location data, IP address and sensors, think twice. And then reject.