Android Bug Allows Geolocation Tracking of Users

Trailrunner7 writes: Researchers have discovered a weakness in all version of Android except 9, the most recent release, that can allow an attacker to gather sensitive information such as the MAC address and BSSID name and pinpoint the location of an affected device. The vulnerability is a result of the way that Android broadcasts device information to apps installed on a device. The operating system uses a mechanism known as an intent to send out information between processes or applications, and some of the information about the device's WiFi network interface sent via a pair of intents can be used by an attacker to track a device closely.

A malicious app -- or just one that is listening for the right broadcasts from Android -- would be able to identify any individual Android device and geolocate it. An attacker could use this weaknesses to track a given device, presumably without the user's knowledge. Although Android has had MAC address randomization implemented since version 6, released in 2015, Yakov Shafranovich of Nightwatch Cybersecurity said his research showed that an attacker can get around this restriction.

Wow. That is pathetic

[110010001000]

That is really pathetic implementation by Google. The idea is that your application should have to register for special permissions to access this information, but apparently the system broadcasts it to all listening applications on the device. The fact that this actually exists makes me wonder about the entire codebase. There should be single point in the code where intents are sent out and matched against access/permissions. It sounds like spaghetti.

Why assume it is a bug?

[BobK65]

Maybe it is just an undocumented feature installed for those in the know.