The Electronic Frontier Foundation (EFF) has discovered what could be a serious privacy leak in most recent Android device. According to them, smartphones and tablets running Android 3.1 or later whose screens are turned off are broadcasting their previous WiFi connection history to anyone within WiFi range willing to listen, leaving the user vulnerable to future attacks.
Spilling your WiFi connection history might not sound all that terrible, especially given how some tag their networks with absurd and indecipherable names. However, to people with malicious intent, there are ways and means to derive longitude and latitude coordinates from these network names. It is definitely a scary thought since both your public and private life can become open to prying eyes.
This WiFi behavior is exhibited by an open source program called wpa_supplicant used not just by Android but by Linux itself. On both platforms, this feature is used to connect to hidden networks. Since these WiFi networks do not broadcast their presence, cilents such as laptops or phones have to broadcast their own presence instead. On Android, however, the side effects are greater.
This is because feature introduced in Android 3.1 called Preferred Network Overload. In essence, it basically tries to keep a connection to a WiFi network when the phone’s display is turned off, in order to preserve power while still keeping connected to the Internet. But because of wpa_supplicant’s behavior, it is effectively broadcasting that WiFi history at the same time. Somewhat quizzically, it doesn’t happen when the screen is turned on. Since laptops and desktops with wireless connections don’t usually go into this low-power state, they are not exposed to the same extent.
The EFF reports that Google has responded, has promised to look into the matter, and has even submitted a patch to wpa_supplicant to address the issue. However, given Google’s and Android’s update mechanism, that fix might not reach users immediately, if at all for some older devices. There are other ways to circumvent this flaw, none of the convenient or ideal. First, you can remove previously used WiFi connections that you don’t regularly use. You can then set your device never to keep a WiFi connection when it sleeps, removing the need for that broadcasting feature. However, the EFF said that for some devices, that still wasn’t enough and this actually eats up more battery. The final resort is to manually, or automatically via some app, turn WiFi off entirely when you aren’t connected to a known network, a practice that is actually recommended not just for this case but for other security issues and battery consumption as well.