Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Bug Allows Geolocation Tracking of Users (duo.com)

Posted by msmash on from the privacy-woes dept.

Trailrunner7 writes: Researchers have discovered a weakness in all version of Android except 9, the most recent release, that can allow an attacker to gather sensitive information such as the MAC address and BSSID name and pinpoint the location of an affected device. The vulnerability is a result of the way that Android broadcasts device information to apps installed on a device. The operating system uses a mechanism known as an intent to send out information between processes or applications, and some of the information about the device's WiFi network interface sent via a pair of intents can be used by an attacker to track a device closely.

A malicious app -- or just one that is listening for the right broadcasts from Android -- would be able to identify any individual Android device and geolocate it. An attacker could use this weaknesses to track a given device, presumably without the user's knowledge. Although Android has had MAC address randomization implemented since version 6, released in 2015, Yakov Shafranovich of Nightwatch Cybersecurity said his research showed that an attacker can get around this restriction.

46 comments

  1. Wha? Teh Google Doing This? No way? by Anonymous Coward · · Score: 0

    Wayyyyy!

  2. Wow. That is pathetic by 110010001000 · · Score: 5, Interesting

    That is really pathetic implementation by Google. The idea is that your application should have to register for special permissions to access this information, but apparently the system broadcasts it to all listening applications on the device. The fact that this actually exists makes me wonder about the entire codebase. There should be single point in the code where intents are sent out and matched against access/permissions. It sounds like spaghetti.

    1. Re:Wow. That is pathetic by 110010001000 · · Score: 1

      Although now that I look at it more, it looks like you DO have to have wifi state access permissions. So it is debatable if this really is a bug or not.

    2. Re:Wow. That is pathetic by 110010001000 · · Score: 3, Funny

      Ooops take it back. Doesn't require any permissions at all. I'm back to pathetic again.

    3. Re:Wow. That is pathetic by Anonymous Coward · · Score: 0

      Android was designed to be the OS for all consumer tracking devices. It was written for advertisers, marketers, and retailers to be paid for by the consumer.

    4. Re:Wow. That is pathetic by 110010001000 · · Score: 1

      Mom says I am big boned.

    5. Re:Wow. That is pathetic by Xylantiel · · Score: 2

      Yeah, this is sad. I'm not sure what idiot at Google thought it was okay to broadcast wifi state info to apps that don't have permission to access the wifi state. I can see how it might be ambiguous whether the BSSID or the base station MAC are included in "wifi state" information, but obviously if I have denied an app permission to access wifi state I didn't just mean it can't request wifi state information, really I meant that it shouldn't be given it by the OS.

      Another question: What information to these broadcasts contain in LineageOS?

    6. Re:Wow. That is pathetic by Xylantiel · · Score: 2

      Also, the article say that the issue is being "fixed", but it is still unclear if an app with "network state" permission has access to the BSSID or base station mac, which in many cases effectively gives coarse location. I have often wondered whether requesting "network state" permission was a sneaky way to do geolocation, but never looked into it carefully. And, once again, my next question would be whether the information available to apps with network state permission is different for LineageOS.

    7. Re:Wow. That is pathetic by 110010001000 · · Score: 1

      I'm not sure they are really going to fix it. It says it is a "breaking API change". It is strange that they are broadcasting wifi state information to all apps, completely bypassing any access control. I guess it has been going on for 10 years or so. They also broadcast route information + DNS server IPs.

    8. Re:Wow. That is pathetic by Anonymous Coward · · Score: 0

      Seriously, anyone there actually has a computing degree and experience.
      In 1972 ; mainframes
      Sensitive info protected not in everyday getmains and heaps.
      Password buffers and the like protected and overwritten asap
      Mindful of mini-dumps and program traces
      On-error situations
      Security services running away from everyday tasks
      Gaps on startup and shutdown; security active before others can get in
      Send and broadcast messages were restricted
      Classes of messages to different consoles
      Logging service restricted - hey just read stuff.

      I believe SE Linux is pretty old, but the concepts were understood then. BTW Intels ME engine usurps the real OS, and I dont believe the OS can disable or even LOG what the ME is doing.

  3. Packet by Anonymous Coward · · Score: 0

    Does anyone know how the "intent" data looks when sent to an App? How much data? 1024 chars worth? Megabytes worth?

    Asking for a friend.

    1. Re:Packet by 110010001000 · · Score: 1

      You can download the "Internal Broadcasts Monitor" app from the store and see the data yourself.

    2. Re: Packet by astrofurter · · Score: 1

      +1 informative

  4. Nobody cares where I am by Lije+Baley · · Score: 1

    Yeah, when I was young, I used to fantasize about the government knowing what library books I had checked out. Now I know that I am nobody, just like 98% of everybody. My private information, aside from that necessary for financial transactions, is worthless. If you're not in the public eye, nobody gives a fsck.

    --
    Strange things are afoot at the Circle-K.
    1. Re:Nobody cares where I am by Anonymous Coward · · Score: 0

      Until you go on that shooting rampage.

    2. Re:Nobody cares where I am by 110010001000 · · Score: 1

      That isn't true. The various data collecting corporations (credit, tech, etc) DO care about your individual data as it can be used to determine your risk for a loan, what ads you receive, insurance rates, etc. They care very deeply. That is why Windows 10 is essentially free now.

    3. Re:Nobody cares where I am by ArylAkamov · · Score: 1

      Hah yeah man, who cares about rights and privacy anyway. That stuffs for criminals!
      Now please talk louder, my phone can't hear you.

    4. Re:Nobody cares where I am by Anonymous Coward · · Score: 0

      They care about having a profile. Whether it is accurate or not is someone else’s problem. They will backfill what they can’t get reliably with whatever else is at hand.

      I’m not saying this isn’t a serious problem. I’m just saying that being paranoid about maintaining your (illusion of) privacy is a waste of time and probably counterproductive.

      If you actually care about these abuses, you aren’t easing your time trying worrying about this.

    5. Re:Nobody cares where I am by 110010001000 · · Score: 1

      Well in this case your location is 100% accurately tracked and attached to your profile so I guess you should care.

    6. Re:Nobody cares where I am by antdude · · Score: 1

      NBA, Comcast, Toyota, CBS, Obama, health, etc. care!

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    7. Re:Nobody cares where I am by Anonymous Coward · · Score: 0

      All it takes is one bad study from a grad student to link some random behavior to some type of criminal or unwanted behavior and suddenly data mining will pick you out as a trouble maker and thus you'll start to be randomly blacklisted.

      Or some crazy person takes an innocent symbol that you've enjoyed, does bad things under it, and suddenly you're associated and mugged for it. The biggest example of that happening is the swastika and Hitler's mustache. Both of which were proud symbols used by many people and groups before WW2. Today you have people on Slashdot saying anyone with those symbols should be beaten up and their freedom of speech taken away.

      Did you know some online stores show new users lower prices compared to when the site figures out you're a return user? I'm not talking about discount coupons, I'm talking about their listed prices.

      Nobody gives a fuck about you, which is also why a troll may single you out to have a bit on fun.

      I'm not saying live in fear, but privacy does matter in our immature society.

    8. Re:Nobody cares where I am by Lije+Baley · · Score: 1

      Yeah, and I might get hit by a meteorite while taking a ride on my bicycle too.

      --
      Strange things are afoot at the Circle-K.
  5. Android fucking sucks by Anonymous Coward · · Score: 0

    Why would anyone buy an adware phone?

  6. Why assume it is a bug? by BobK65 · · Score: 2, Interesting

    Maybe it is just an undocumented feature installed for those in the know.

    1. Re:Why assume it is a bug? by Anonymous Coward · · Score: 0

      This. Obviously.

    2. Re: Why assume it is a bug? by astrofurter · · Score: 1

      Obviously a feature. Not only is Big Brother Google always watching... he likes to invite his friends to watch, too.

  7. Hmmm by Anonymous Coward · · Score: 0

    So someone would be HIDDEN on the highway following me OR in the bathroom of my office,,tracking me

  8. You call it a bug by WillAffleckUW · · Score: 1

    We call it a feature.

    --
    -- Tigger warning: This post may contain tiggers! --
  9. Not going to be fixed by SuperKendall · · Score: 1

    When they try out removing the info and every ad network on the planet crashes every app because that data is unexpectedly null, what can Google realistically do???

    At some point the horses are not just out of the barn, the barn has caught fire and there is no barn to put them back into.

    I have serious reservations this should be counted as a bug though. I am nearly 100% sure this was by design. Even if you wanted to give Google the benefit of the doubt in regards to intent you could imagine some technical person simply thinking that information could be useful to an app so why shouldn't everyone be able to read it?

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  10. Re:Wha? Teh Google Doing This? No way? by Anonymous Coward · · Score: 0

    Don't worry, once minor-god-lite Torvalds get GPS in the kernel you can blame him and not the happy little green man who does no evil.

  11. Pls, technical users... by Anonymous Coward · · Score: 0

    Tell me again how Android is a superior OS to Apple's.
    Jesus, it's the blind leading the blind.

    1. Re:Pls, technical users... by OrangeTide · · Score: 1

      TBH they are both pretty shitty platforms.

      --
      “Common sense is not so common.” — Voltaire
    2. Re:Pls, technical users... by TheFakeTimCook · · Score: 0

      TBH they are both pretty shitty platforms.

      Sorry, you're dead wrong.

      Compared with iOS, Android is a sad, sad Dumpster Fire excuse for a wannabe OS. ...And Spyware besides!

    3. Re:Pls, technical users... by Anonymous Coward · · Score: 0

      But I read that the smartest people use Android.

    4. Re:Pls, technical users... by OrangeTide · · Score: 2

      No spyware in AOSP. But when people say Android they are referring to about two dozen forks of it. And it's really tough to generalize about such a diverse set.

      All I know is that Android dev tools are free, and I can post my shitty apps on the Plat Store. Unlike Apple that enforces arbitrary and ever changing standards and keeps taking my stuff down. Maybe if I were a professional company instead of a hobbyist the App store would be more manageable but for hobbyist hackers, Android is the easier platform to target.

      P.S. I don't think you're sorry at all.

      --
      “Common sense is not so common.” — Voltaire
    5. Re:Pls, technical users... by Anonymous Coward · · Score: 0

      Could you take a moment to explain why? Just like 4 reasons.

    6. Re:Pls, technical users... by Anonymous Coward · · Score: 0

      P.S. I don't think you're sorry at all.
       
      Perhaps not but I do think you're a cunt.

    7. Re:Pls, technical users... by OrangeTide · · Score: 1

      whoohoo someone is thinking of me!

      --
      “Common sense is not so common.” — Voltaire
    8. Re:Pls, technical users... by TheFakeTimCook · · Score: 1

      No spyware in AOSP. But when people say Android they are referring to about two dozen forks of it. And it's really tough to generalize about such a diverse set.

      All I know is that Android dev tools are free, and I can post my shitty apps on the Plat Store. Unlike Apple that enforces arbitrary and ever changing standards and keeps taking my stuff down. Maybe if I were a professional company instead of a hobbyist the App store would be more manageable but for hobbyist hackers, Android is the easier platform to target.

      P.S. I don't think you're sorry at all.

      Perhaps your Apps keep getting taken down precisely because the ARE Shitty (Your words).

      And the Dev Tools ARE free for iOS, too, if you have a Mac.

  12. Pokemon Go by Anonymous Coward · · Score: 0

    ... now we know how Niantic has been able to detect the Pokemon Go spoofers on Android lately.

  13. And it is really easy to access it. by haninaguib · · Score: 1

    Sample app with 'zero' permissions and still can access wifi mac (even when wifi is switched off) https://github.com/haninaguib/...

  14. Bug? by thomn8r · · Score: 1

    I just assumed this behavior was in the original Android spec.

  15. technically correct. the best(?) kind of correct by OrangeTide · · Score: 1

    Tools are included free with a 99 USD per membership year fee...

    --
    “Common sense is not so common.” — Voltaire