Android API-Breaking Vulnerability Offers WiFi Data to Rogue Apps

According to a report from Nightwatch Cybersecurity a vulnerability was recently found in system broadcasts by the Google Android operating system that could expose information about a user’s device to any applications running on the device.

Android broadcasts information about a user’s Wi-Fi connection, including the WiFi network name, local IP addresses, BSSID and the MAC address, through a feature called intents. Using intents, the OS or any application on the device can read this data.

Data such as MAC addresses are static and tied to the device meaning that an attacker could uniquely identify and track any Android device. MAC addresses have been hidden via APIs since Android version 6, however if a rogue app were to eavesdrop, the data from the broadcasts can be captured. In addition to the MAC addresses, data such as the BSSID and network name can be used to geotrack users by using database lookups.

Millions of users are potentially impacted as all versions of Android, including OS forks such as Amazon’s FireOS for the Kindle, are affected. In early August, Google patched the security flaw in Android P, commonly known as Android 9 Pie.

Google has declined to fix older versions of Android stating that to do so would be a breaking API change. Users have been encouraged to upgrade to the latest version of Android.

Be sure to read the next Security article: What Freemius Learned from Their SDK's Security Vulnerability

Original Article

Sensitive Data Exposure via WiFi Broadcasts in Android OS [CVE-2018-9489]