Android Devices Running Versions Below Android 9.0 Pie Vulnerable to Tracking by Apps: Researchers
Researchers have pointed out an Android security flaw that apparently exposes details about a user’s device to all applications running on the device. Google has provided a fix for it in its latest Android version – Android Pie – but older versions are still vulnerable to the issue, researchers claim. The vulnerability essentially allows apps to move past permissions to get access to information found in system broadcasts. It includes details such as the name of the Wi-Fi network that the Android device is using, the MAC address of the device, local IP addresses, BSSID, and DNS server information. All of this leaves the devices easy to locate and track.
The Android security flaw (CVE-2018-9489) was found by researchers from Nightwatch Cybersecurity, who have warned that the vulnerability can be used to “uniquely identify and track any Android device” and also to “geolocate users”. While the advisory mentions all the information that the apps can access, it also states that some of the details such as MAC address are no longer available via APIs on Android 6 and higher. Also, extra permissions are usually required to get access to such information. However, the report adds, by listening to system broadcasts, any app on Android devices can get the information “thus bypassing any permission checks and existing mitigations.”
Meanwhile, the report claims that Google has fixed the security flaw with Android 9.0 Pie. Unfortunately, the availability of the final build is currently limited to only Google’s Pixel range of smartphones and tablets, and the Essential Phone. A recent report revealed that the share of Android smartphones running Android Pie was less than 0.1 percent in August. The Nightwatch Cybersecurity report says that Google is not planning on fixing this flaw on older versions of the OS.
It is also worth mentioning that not only smartphones with older Android versions are vulnerable to this flaw, but also devices running a forked version of Android are also vulnerable. Devices such as Amazon Fire Phone and Fire Tablets run forked versions of Android.