Security bods: Android system broadcasts enable user tracking
Bypassing permission protection on network info
Security researchers have found a way to sniff Android system broadcasts to expose Wi-Fi connection information to attackers.
Tracked as CVE-2018-9489, the issue was discovered by Nightwatch Cybersecurity and published yesterday. If you can, upgrade to Android 9 (Pie), because there's no plan to fix older versions.
What they found was that the system broadcasts spaff “Wi-Fi network name, BSSID, local IP addresses, DNS server information and the MAC address” to any application running on the device, even though this is supposed to be protected information, “bypassing any permission checks and existing mitigations”.
The reason older Android versions won't get a fix, the post claimed, is that Google said it would break older APIs.
The problem is in how application developers use what Android calls “intents” for inter-process communication. The Nightwatch post explained: “While functionality exists to restrict who is allowed to read such messages, application developers often neglect to implement these restrictions properly or mask sensitive data”.
The intents in question are in the WifiManager
NETWORK_STATE_CHANGED_ACTION and WifiP2pManager’s
WIFI_P2P_THIS_DEVICE_CHANGED_ACTION, the post said.
Android data slurping measured and monitoredREAD MORE
An application trying to get information like MAC address, network name, IP gateway and so on from the WiFiManager process would raise a dialogue to get user permission, but that information is readable as system broadcasts, the post said.
As a result, an attacker creating a malicious application could harvest the system broadcast info from a user, send it “home”, use the MAC address to track the device's movement between networks (in spite of Android's MAC address randomisation, the post said), and compare network IDs to public databases.
As proof that the broadcasts are sniffable, Nightwatch points to this app at the Play Store by Lithuanian developer Vilius Kraujutis (@viliusk on Twitter). Developers need fewer than 20 lines of code to sniff the information in applications.
Kraujutis's source code is also available at GitHub. ®