We write often here about the security vulnerabilities of Android devices that are due, at least in part, to how much of a delay there can be in the latest software updates making the rounds. Which can leave some handsets dangerously vulnerable if the device manufacturer is slow on the uptake.
Which means we’re constantly writing posts like this one: Researchers from Nightwatch Cybersecurity this week put out an advisory about an Android vulnerability that purportedly exposes information about a user’s device to all applications running on the device. There’s a fix for it, but not if you’re running a too-old version of Android.
According to the advisory, the information includes “the Wi-Fi network name, BSSID, local IP addresses, DNS server information and the MAC address. Some of this information (MAC address) is no longer available via APIs on Android 6 and higher, and extra permissions are normally required to access the rest of this information. However, by listening to these broadcasts, any application on the device can capture this information thus bypassing any permission checks and existing mitigations.”
A report from ZDNet notes that apps can capture that information often for legitimate reasons. But when rogue apps start to do the tracking, that can lead to the disclosure of sensitive information. What it all amounts to, according to the publication, is a “common vulnerability” within Android apps where a malicious application running on the device can spy on and capture messages broadcast by other apps on the device.
The Nightwatch advisory goes on to note that all version of Android are believed to be affected, including forked versions like Amazon’s FireOS. Google has supposedly fixed this starting with Android Pie but it’s not believed to be planning a fix for older versions.
The firm showed all of this to Google earlier this year, and Google’s fix was developed in July.
The advisory spells out that Android ‘intents’ are at the heart of the issue here. Those are one of the ways for inter-process communication within the OS. “A broadcast using an ‘Intent’ allows an application or the OS to send a message system-wide which can be listened to by other applications. While functionality exists to restrict who is allowed to read such messages, application developers often neglect to implement these restrictions properly or mask sensitive data. This leads to a common vulnerability within Android applications where a malicious application running on the same device can spy on and capture messages being broadcast by other applications.”
Bottom line: To protect yourself, be sure and upgrade to Android 9 Pie if you haven’t yet.