Use of Wifi API that contains or leaks sensitive PII
Use of Wifi API that contains or leaks sensitive PII
Description
The application is using requesting the ACCESS_WIFI_STATE
interface and calling APIs like getConnectionInfo
to access sensitive information about the Wi-Fi access point, like BSSID, SSID, and RSSI, and about the device, like MAC address and IP address.
This API is known to be abused to access PII information like:
- Unique device identifier using the device's MAC address
- Geolocation data by using about surrounding Wi-Fi access points
- Travel history and social link by tracking users connecting to the same access points
Recommendation
While Android 9 has introduced new restrictions to access these APIs, the collection of Wi-Fi data to profile users is a known practice popular among Ads SDK and third-party analytics libraries.
Collection of these data is in most cases not required and should either disabled, or 3rd party libraries accessing it should be replaced with privacy-aware libraries.
Links
Standards
- OWASP_MASVS_L1:
- MSTG_ARCH_12
- OWASP_MASVS_L2:
- MSTG_ARCH_12
- GDPR:
- ART_5
- ART_25
- ART_32
- ART_35
- PCI_STANDARDS:
- REQ_2_2
- REQ_6_2
- REQ_6_3
- REQ_7_3