Sign up to our newsletter
The latest security news direct to your inbox
A feature in newer Android phones puts users’ privacy at risk – effectively broadcasting an accurate location history over the air, even when a device’s screen is turned off, according to the Electronic Frontier Foundation.
“Do you own an Android device? Is it less than three years old? If so, then when your phone’s screen is off and it’s not connected to a Wi-Fi network, there’s a high risk that it is broadcasting your location history to anyone within Wi-Fi range that wants to listen,” the group warns.
The Next Web reports that the leak affects newer Android gadgets – those running Android Honeycomb (3.1) or later. The 3.1 version of the operating system introduced a feature called Preferred Network Offload, designed to conserve battery and connect easily to known Wi-Fi networks – but it broadcasts the name of the previous 15 networks the handset has visited.
Android handsets continue to broadcast this information even in sleep mode – connecting via Wi-Fi consumes less power than connecting via a mobile network. The EFF found that with one Motorola handset, the Droid 4, the only way to make sure the phone is not broadcasting personal information, is for the user to instruct the handset to manually forget any network whose name they want to keep private, or to turn Wi-Fi off entirely.
EFF says that the leak is more concerning than leaks involving raw location data – as it broadcasts the names of Wi-Fi networks in clearly readable language, rather than a string of data. An attacker would be quickly able to work out, say, that a victim had visited a Starbucks, or that he had visited a work network, by eavesdropping on the signal then manually looking for network names.
“This data is arguably more dangerous than that leaked in previous location data scandals because it clearly denotes in human language places that you’ve spent enough time to use the Wi-Fi,” the group wrote in its blog post.
The Register points out that the ready availability of such data has more serious implications for privacy – and that the range of known networks could plausibly be used to identify individuals.
“If a person is carrying a mobile device that has recently accessed the Wi-Fi networks at your home, your work, and your union hall, there’s a good chance that person is you,” The Register commented. “Even if you buy a new phone every week, as long as you keep connecting to Wi-Fi, snoops can spot you.”
Google responded to the EFF by saying, “We take the security of our users’ location data very seriously and we’re always happy to be made aware of potential issues ahead of time. Since changes to this behavior would potentially affect user connectivity to hidden access points, we are still investigating what changes are appropriate for a future release.”
For now, privacy-conscious Android users can disable phones broadcasting this information while in sleep mode by visiting the “Advanced Wi-Fi Settings” menu, selecting, “Keep Wi-Fi On During Sleep” and setting it to “off”.
Author Rob Waugh, We Live Security