Android vulnerability exposes users data via wi-fi

By on
Android vulnerability exposes users data via wi-fi

Nightwatch Cybersecurity researchers identified a sensitive data exposure via a wi-fi broadcast vulnerability in Android OS.

Researchers discovered system broadcasts by Android devices expose information about the user's device to all applications running on the device that can be intercepted and bypass any permission checks and existing mitigations on the vulnerable device, according to a 29 August blog post.

“Because MAC addresses do not change and are tied to hardware, this can be used to uniquely identify and track any Android device even when MAC address randomisation is used,” researchers said in the post. “The network name and BSSID can be used to geolocate users via a lookup against a database of BSSID such as WiGLE or SkyHook.”

The vulnerability is in part due to application developers neglecting to implement restrictions to properly mask sensitive data leading to a common vulnerability within Android applications where a malicious application running on the same device can spy on and capture messages being broadcast by other applications.

The vulnerability was patched in Android P / 9 and because this would be a breaking API change, the vendor does not plan to fix prior versions of Android. So users are encouraged to update their systems as soon as possible. 

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register

Poll

The channel is a juicy hacking target - are you improving security?
YES - recent attacks on MSPs spurred us to action
YES - we're ALWAYS improving our security stance
YES - we've noticed new forms of attack
NO - we're confident our past efforts are enough, but are always vigilant
NO - we don't see the need for change at this time
View poll archive

Log In

Username / Email:
Password:
  |  Forgot your password?