Use of Wifi API that contains or leaks sensitive PII
Use of Wifi API that contains or leaks sensitive PII
Description
The application is using requesting the ACCESS_WIFI_STATE
interface and calling APIs like getConnectionInfo
to
access sensitive information about the Wi-Fi access point, like BSSID, SSID, and RSSI, and about the device, like MAC
address and IP address.
This API is known to be abused to access PII information like:
- Unique device identifier using the device's MAC address
- Geolocation data by using about surrounding Wi-Fi access points
- Travel history and social link by tracking users connecting to the same access points
Recommendation
While Android 9 has introduced new restrictions to access these APIs, the collection of Wi-Fi data to profile users is a known practice popular among Ads SDK and third-party analytics libraries.
Collection of these data is in most cases not required and should either disabled, or 3rd party libraries accessing it should be replaced with privacy-aware libraries.
Links
Standards
- OWASP_MASVS_L1:
- MSTG_ARCH_12
- OWASP_MASVS_L2:
- MSTG_ARCH_12