Use of Wifi API that contains or leaks sensitive PII

Description

The application is using requesting the ACCESS_WIFI_STATE interface and calling APIs like getConnectionInfo to access sensitive information about the Wi-Fi access point, like BSSID, SSID, and RSSI, and about the device, like MAC address and IP address.

This API is known to be abused to access PII information like:

Unique device identifier using the device's MAC address
Geolocation data by using about surrounding Wi-Fi access points
Travel history and social link by tracking users connecting to the same access points

Recommendation

While Android 9 has introduced new restrictions to access these APIs, the collection of Wi-Fi data to profile users is a known practice popular among Ads SDK and third-party analytics libraries.

Collection of these data is in most cases not required and should either disabled, or 3rd party libraries accessing it should be replaced with privacy-aware libraries.

Links

Standards

OWASP_MASVS_L1:
- MSTG_ARCH_12
OWASP_MASVS_L2:
- MSTG_ARCH_12
GDPR:
- ART_5
- ART_25
- ART_32
- ART_35
PCI_STANDARDS:
- REQ_2_2
- REQ_6_2
- REQ_6_3
- REQ_7_3
OWASP_MASVS_v2_1:
- MASVS_PRIVACY_2
SOC2_CONTROLS:
- CC_2_1
- CC_4_1
- CC_7_1
- CC_7_2
- CC_7_4
- CC_7_5