Skip to content

Use of Wifi API that contains or leaks sensitive PII

Use of Wifi API that contains or leaks sensitive PII

Description

The application is using requesting the ACCESS_WIFI_STATE interface and calling APIs like getConnectionInfo to access sensitive information about the Wi-Fi access point, like BSSID, SSID, and RSSI, and about the device, like MAC address and IP address.

This API is known to be abused to access PII information like:

  • Unique device identifier using the device's MAC address
  • Geolocation data by using about surrounding Wi-Fi access points
  • Travel history and social link by tracking users connecting to the same access points

Recommendation

While Android 9 has introduced new restrictions to access these APIs, the collection of Wi-Fi data to profile users is a known practice popular among Ads SDK and third-party analytics libraries.

Collection of these data is in most cases not required and should either disabled, or 3rd party libraries accessing it should be replaced with privacy-aware libraries.

Standards

  • OWASP_MASVS_L1:
    • MSTG_ARCH_12
  • OWASP_MASVS_L2:
    • MSTG_ARCH_12
  • GDPR:
    • ART_5
    • ART_25
    • ART_32
    • ART_35
  • PCI_STANDARDS:
    • REQ_2_2
    • REQ_6_2
    • REQ_6_3
    • REQ_7_3
  • OWASP_MASVS_v2_1:
    • MASVS_PRIVACY_2
  • SOC2_CONTROLS:
    • CC_2_1
    • CC_4_1
    • CC_7_1
    • CC_7_2
    • CC_7_4
    • CC_7_5