Use of Wifi API that contains or leaks sensitive PII

Description

The application is using requesting the ACCESS_WIFI_STATE interface and calling APIs like getConnectionInfo to access sensitive information about the Wi-Fi access point, like BSSID, SSID, and RSSI, and about the device, like MAC address and IP address.

This API is known to be abused to access PII information like:

Unique device identifier using the device's MAC address
Geolocation data by using about surrounding Wi-Fi access points
Travel history and social link by tracking users connecting to the same access points

Recommendation

While Android 9 has introduced new restrictions to access these APIs, the collection of Wi-Fi data to profile users is a known practice popular among Ads SDK and third-party analytics libraries.

Collection of these data is in most cases not required and should either disabled, or 3rd party libraries accessing it should be replaced with privacy-aware libraries.

Links

Standards

OWASP_MASVS_L1:
- MSTG_ARCH_12
OWASP_MASVS_L2:
- MSTG_ARCH_12