Im guessing (based on recently using Estimote beacons in a project) that this relies on inexpensive beacons and most of what happens is in the app. The beacons don't talk to the cloud service - the app does. I think the app listens for the beacons which are sending sending RSSI (received signal strength indication) information as well as heir unique id, and the cloud service is estimating your distances from 3 or 4 beacons and solving to get a position then sending that back to the app. (It's probable the app could do that itself, but Estimote might have some "secret sauce" that makes their cloud-reliant solution better - perhaps by aggregating data about the Bluetooth reception quality on a per model or device basis and updating their position estimate algorithms in real time. If I wanted to implement something like this without leaking user location data to Estimote/The NSA, I'd probably try using rough models in-app (without sending the beacon data anywhere) and using accelerometer/gyro data to provide additional dead reckoning input.
Note though - much of the same tricks can be pulled with 2.4gHz capable SDRs passively listening for wifi/bluetooth (and even cellular) transmission from your phone. This is almost certainly being used to track you in shopping malls already, and I'd be quite surprised to head it's not also deployed in airports, military contractor campuses, and large privacy invasive corporations - as well as wherever various three letter agencies of overreaching law enforcement want it.
Thanks for the insight. Might you be able to guess how the Bluetooth on/off/on and visible settings work for visibility for passive listening? If my phone is linked/paired with my Bluetooth headset but not visible to other devices, is it still noticeable by the passive listening devices?
From what I understand with WiFi and Google Location Services, if you have WiFi "on but not connected", your phone is regularly sending out messages to any router that will listen saying "Are you SSID x, y, z, a...etc.?" Android phones record this information, i.e., SSIDs pinged and your coarse location, and report this back to the mothership so as to improve the estimated position of all of these SSIDs/router MAC addresses. Theoretically, if I understand what you're saying, is that there could be hardware devices that require no input from the user: the routers themselves would be noting who (i.e. which phones/MAC addresses) ping them asking for which SSIDs and record those as they progress through a space. Put enough routers in a space and you can triangulate based on RSSI....is that the basic idea?
Wifi is easy - any wifi module that can be put into "monitor mode" will let you listen in for SSID probes. Apple have started randomising the MAC address the device uses for those probes in iOS8, which is a start, but there's often a close-to-unique fingerprint that you still get from the set of SSID's that are probed for (how many people do you suppose probe for "Company $A Staff Wifi, Shopping Mall $B free wifi, Cafe's $C $D and $E free wifi, and person $F home wifi") - there's also a trick that I think I heard WifiPineapple uses of listening for common SSID probed (McDonald Free Wifi, Netgear, etc), then responding as that base station - then getting the real MAC address during the negotiation phase).
BlueTooth is only a little more difficult - you only need a hundred or so dollars to start playing there though: http://ubertooth.sourceforge.net/ or https://github.com/mossmann/hackrf/wiki/HackRF-One will both let you see BlueTooth radio traffic - it's somewhat harder to dig into their encrypted traffic, but seeing and measuring the signal strength is easy.
It's bluetooth on and you need to give permission to the app to have access to your location. The app can ask for access "all the time" or "only when open", to which you also need to confirm.
