Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Leaks Location Data Via Wi-Fi

Posted by Soulskill on from the we-all-know-about-your-addiction-to-krispy-kreme dept.

Bismillah writes: The Preferred Network Offload feature in Android extends battery life, but it also leaks location data, according to the Electronic Frontier Foundation. What's more, the same flaw is found in Apple OS X and Windows 7. "This location history comes in the form of the names of wireless networks your phone has previously connected to. These frequently identify places you've been, including homes ('Tom’s Wi-Fi'), workplaces ('Company XYZ office net'), churches and political offices ('County Party HQ'), small businesses ('Toulouse Lautrec's house of ill-repute'), and travel destinations ('Tehran Airport wifi'). This data is arguably more dangerous than that leaked in previous location data scandals because it clearly denotes in human language places that you've spent enough time to use the Wi-Fi."

17 of 112 comments (clear)

  1. Wrong title by crashumbc · · Score: 5, Insightful

    Should be popular SMART PHONES leak WiFi data.

    Sensationalist bullshit

  2. Not just Android by AmiMoJo · · Score: 5, Insightful

    The sensational headline fails to mention that most operating systems, including OSX and Windows, are affect. In fact most wifi devices are and we have known about this problem since the early days of wifi.

    I wish I had the time to mod the shit down before it hit the front page.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Not just Android by jrumney · · Score: 4, Informative

      The headline also fails to mention that only manually configured networks are affected (or perhaps old versions of Android, I don't remember the details from the comments to the story about 6 months ago regarding the exact same "flaw" in iOS). This is why it is a BAD idea for security to turn off access point beacons - because if your access point is not sending out beacons to identify itself, then the clients need to send out connection requests blindly - wherever they are.

    2. Re:Not just Android by jones_supa · · Score: 3, Insightful

      I have one neighbor that for some insane reason named his after his address. 123 Johnson road

      He is just politely revealing who is the owner of the station. In this way it can also be seen as a responsible thing. If that particular station is causing some kind of problems to others, it is easy to contact the owner to discuss about it.

    3. Re:Not just Android by itzly · · Score: 4, Funny

      I have one neighbor that for some insane reason named his after his address. 123 Johnson road

      Even worse, I have a neighbor who has his house number plainly visible right next to his front door, and the name of the street is clearly marked at the intersection. Total nutcase, if you ask me. Anybody who knows his address can just go and visit him.

    4. Re: Not just Android by Em+Adespoton · · Score: 3, Informative

      To be a decent analogy, they'd need it affixed to something mobile, like their car, as well as to their house.

      The point here is that the CLIENTS start broadcasting the string whenever they're not connected to Wifi. So his phone/laptop will be advertising where their owner lives whenever he's away from home with them.

      If you still don't get it, it's like everyone in his family wearing a T-shirt that says "My home address is 123 Johnson Rd -- and if you're reading this, I'm probably not at home".

      It makes burglary easy, and stalking as well.

  3. Enough time to connect to Wi-Fi by geogob · · Score: 2

    "[...] because it clearly denotes in human language places that you've spent enough time to use the Wi-Fi."

    I though driving by an open hotspot on the highway was enough time to use it. At least they would know on which Highway I drove.

    1. Re:Enough time to connect to Wi-Fi by jrumney · · Score: 2

      I though driving by an open hotspot on the highway was enough time to use it.

      Only with 802.11p which allows data transfer without associating to the access point, and maybe the still under development 802.11ai, which aims to speed up the time required for association to under 100ms.

  4. Re:Noticed this before by jrumney · · Score: 4, Informative

    Its the scan of nearby networks bit where it needs to send out the WiFi networks it wants to connect to. That's why making your SSID hidden is a security anti-pattern. Tell the owners of the networks you connect to to stop doing it - anyone nearby can see all the clients making requests to join your network, so it isn't adding any security in your near vicinity, and elsewhere, others can still see your clients trying to connect to your network wherever they are, because to connect to hidden networks you have to go out and proactively look for them.

  5. Laptops too? by Lawrence_Bird · · Score: 2

    So basically it sounds like anything using the wpa_supplicant code may do this? I can understand why it may be necessary for a hidden network, don't understand why the connecting party would ever transmit anything about past connections for public networks. Isn't SSID included in the beacon every 100ms or so?

  6. Why mention Android in the title? by Threni · · Score: 2

    "What's more, the same flaw is found in Apple OS X and Windows 7."

    Clickbait, maybe?

  7. Free Wifi by AndyCanfield · · Score: 3, Interesting

    Here in Thailand / Laos I have recently seen massage parlor signs advertising "Free Wifi". You get in a room with a beautiful lady and she rubs her hands all over your body. Why would you want to check your e-mail? And certainly you would not "Exotic Massage" to show up in your wifi list. But remember that phones are like that. I manually checked my wife's call history to see if she had telephoned my girlfriend.

    1. Re:Free Wifi by tepples · · Score: 2

      If by "wifi list" you mean the list of known SSIDs on a device, that can be solved by using your device's user switching and making some SSIDs private to one user. Unfortunately, Android doesn't seem to implement multi-user for devices with screens smaller than 7 inches, and I don't know whether known SSIDs are user-specific or system-wide.

      If by "wifi list" you mean the topic of the article (a list collected by someone listening for probe requests for hidden SSIDs), an SSID will appear only if 1. it has a hidden SSID, and 2. your device sends probe requests automatically instead of manually, and 3. your device doesn't use cellular or GPS location to determine which SSIDs' probe requests to send.

  8. Droid does what iDon't: SSID spotting by tepples · · Score: 3, Interesting

    For fun, grab an Android app called WifiCollector.

    Or MozStumbler, from the makers of Firefox.

    But if you're looking for something similar on iOS, you won't find anything on the App Store because there's no public API to log seen SSIDs on iOS. Instead of making a public API, Apple instead just decided to blacklist the entire category of applications in March 2010.

  9. Google already snoops on Android locations for Ads by recoiledsnake · · Score: 2

    They actually track which stores you visit to monetize ads. If you opt out then a lot of things including Google Now stop working.

    http://digiday.com/platforms/g...

    They even do the same thing on iOS if you use Gmail, Chrome or Google Now apps.

    It is easiest for Google to conduct this passive location tracking on Android users, since Google has embedded location tracking into the software. Once Android users opt in to location services, Google starts collecting their location data as continuously as technologically possible. (Its ability to do so is dependent on cell tower or Wi-Fi signal strength.)

    Android is currently the leading mobile OS in the U.S. with a 45.9 percent market share in 2013, according to eMarketer. A little more than a fifth (20.3 percent) of the U.S. population uses Android smartphones.

    But Google can also constantly track the location of iPhone users by way of Google apps for iOS, Apple’s mobile operating system. IOS is just behind Android in U.S. market share with 38.3 percent of users, per eMarketer. Nearly 17 percent of the American populace uses an iOS smartphone.

    When an iPhone user stops using an app, it continues running “in the background.” The user might not realize it, but the app continues working, much in the same way tabs function on a Web browser.

    Google’s namesake iOS app — commonly referred to as Google mobile search — continues collecting a user’s location information when it runs in the background. This information is then used to determine if that user visited a store and whether that store visit can be attributed to a search conducted in the app. Store visits can also be tracked via Google’s other iOS apps that use location services. If iOS users open their Chrome, Gmail or Google Maps app in a store, their location can be deemed a store visit.

    And they recently stopped snooping on the free Google Apps and email for Schools and even businesses after doing it for a long time to build ad profiles after they didn't dare telling the same lies in federal court that they were telling to the public about snooping on students to show ads.

    http://www.edweek.org/ew/artic...

    http://www.edweek.org/ew/artic...

    But hey, it's Google so they get a free pass here while if MS did anything even close to that people would be shouting from rooftops.

    --
    This space for rent.
  10. Re: Except iOS after version 5 apparently by tlhIngan · · Score: 3, Informative

    iOS is still happily twirping your data, hence the mac change in iOS 8.

    No, that's solving a different problem, namely one of tracking. In sending probe frames (to find out what accesspoints are around) it uses a random MAC address in order to foil those MAC address sniffers they plant in malls and stores that are used to track people as they wander around.

    FYI - Android does not have this feature (yet).

  11. Re:Headline Whore Much Soulskill/Dice Holdings ? by Jabrwock · · Score: 2

    Because OS X and Windows 7 aren't mobile OSs? The article does address that, and states that it doesn't believe the risk to laptop users to be worth more than a mention, because laptops are generally powered down when moving around, unlike smartphones that keep scanning.

    --
    Magic doesn't work in my presence. My power of disbelief is too strong.