- Dec 30, 2012
- 4,809
Internal system broadcasts happening inside the Android OS expose sensitive user and device details that apps installed on the phone can access without the user's knowledge or permission.
The leaked data includes details such as the WiFi network name, WiFi network BSSID, local IP addresses, DNS server information, and the device's MAC address.
This type of data might look innocuous, but it can be used to track users online and determine a user's real-world location.
OS "intents" leak MACs and WiFi-related data
The leak happens because of an internal feature of the Android OS named "intents."
Intents allow an app or the OS itself to send an internal system-wide message that can be read by all apps and OS functions running on an Android device.
Mobile security researchers from Nightwatch Cybersecurity have discovered that the Android OS broadcasts information about the WiFi connection and the WiFi network interface via two separate intents —WifiManager’s NETWORK_STATE_CHANGED_ACTION and WifiP2pManager’s WIFI_P2P_THIS_DEVICE_CHANGED_ACTION.
Apps installed on an Android —including their advertising components— can set up listening posts for these two intents and capture WiFi-related information even if they don't have the permission to access a phone's WiFi feature (granted by the user to apps at install time).
Leak undermines Android permissions system
This leak completely undermines the Android permission system, as it allows applications access to highly sensitive information without prompting the user for action.
For example, an advertiser or a malicious threat actor who have tricked a user into installing a benign-looking app can harvest WiFi info from system-wide intents and use this data to query public databases of known BSSID identifiers —such as WiGLE or SkyHook— and track down a user's real-world location.
In this scenario, the app doesn't need to ask for the WiFi Access permission, and indirectly through the harvested data, the Location Access permission as well.
Google won't fix older Android OS versions
The Nightwatch team says that all versions of Android are believed to be affected, including forks such as Amazon's FireOS (for the Kindle).
Researchers said they reported the issue (tracked as CVE-2018-9489) to Google in March this year.
Nightwatch said Google opted to fix the WiFi broadcast leaks only in the new Android Pie (9.0) version, but not in the older versions.
Researchers have also developed an Android app that captures and displays all Android internal broadcasts, a tool that can help other researchers confirm their findings and investigate other leaks.
The leaked data includes details such as the WiFi network name, WiFi network BSSID, local IP addresses, DNS server information, and the device's MAC address.
This type of data might look innocuous, but it can be used to track users online and determine a user's real-world location.
OS "intents" leak MACs and WiFi-related data
The leak happens because of an internal feature of the Android OS named "intents."
Intents allow an app or the OS itself to send an internal system-wide message that can be read by all apps and OS functions running on an Android device.
Mobile security researchers from Nightwatch Cybersecurity have discovered that the Android OS broadcasts information about the WiFi connection and the WiFi network interface via two separate intents —WifiManager’s NETWORK_STATE_CHANGED_ACTION and WifiP2pManager’s WIFI_P2P_THIS_DEVICE_CHANGED_ACTION.
Apps installed on an Android —including their advertising components— can set up listening posts for these two intents and capture WiFi-related information even if they don't have the permission to access a phone's WiFi feature (granted by the user to apps at install time).
Leak undermines Android permissions system
This leak completely undermines the Android permission system, as it allows applications access to highly sensitive information without prompting the user for action.
For example, an advertiser or a malicious threat actor who have tricked a user into installing a benign-looking app can harvest WiFi info from system-wide intents and use this data to query public databases of known BSSID identifiers —such as WiGLE or SkyHook— and track down a user's real-world location.
In this scenario, the app doesn't need to ask for the WiFi Access permission, and indirectly through the harvested data, the Location Access permission as well.
Google won't fix older Android OS versions
The Nightwatch team says that all versions of Android are believed to be affected, including forks such as Amazon's FireOS (for the Kindle).
Researchers said they reported the issue (tracked as CVE-2018-9489) to Google in March this year.
Nightwatch said Google opted to fix the WiFi broadcast leaks only in the new Android Pie (9.0) version, but not in the older versions.
Researchers have also developed an Android app that captures and displays all Android internal broadcasts, a tool that can help other researchers confirm their findings and investigate other leaks.
