Skip to content

Use of Wifi API that contains or leaks sensitive PII

Use of Wifi API that contains or leaks sensitive PII


The application is using requesting the ACCESS_WIFI_STATE interface and calling APIs like getConnectionInfo to access sensitive information about the Wi-Fi access point, like BSSID, SSID, and RSSI, and about the device, like MAC address and IP address.

This API is known to be abused to access PII information like:

  • Unique device identifier using the device's MAC address
  • Geolocation data by using about surrounding Wi-Fi access points
  • Travel history and social link by tracking users connecting to the same access points


While Android 9 has introduced new restrictions to access these APIs, the collection of Wi-Fi data to profile users is a known practice popular among Ads SDK and third-party analytics libraries.

Collection of these data is in most cases not required and should either disabled, or 3rd party libraries accessing it should be replaced with privacy-aware libraries.


    • MSTG_ARCH_12
    • MSTG_ARCH_12
  • GDPR:
    • ART_5
    • ART_25
    • ART_32
    • ART_35
    • REQ_2_2
    • REQ_6_2
    • REQ_6_3
    • REQ_7_3