A flaw in the Android OS allows an attacker to track the location of users if they are in close proximity to the WiFi router.
Applications on the Android OS are typically segregated from other applications and also separated from the OS itself. However, they are systems in place that allow apps and the OS to share information with each other. This is where the vulnerability comes into play.
One of the systems that allow information sharing is called “intents”. The OS or application can send out an “intent” message, which is listened to by other applications, but this message can be intercepted by attackers.
There are ways to restrict this listening, however many developers neglect to put the proper restrictions in place, leaving users vulnerable.
The vulnerability (CVE-2018-9581) allows the Android OS to continually broadcast information about the WiFi connection of the user, including location.
Admittedly the vulnerability may seem harmless when it comes to user’s vulnerability to large-scale attacks, but that’s not what security experts are concerned about. The larger concern is whether hackers may exploit the vulnerability to check someone’s location within the home and whether they are home. This could be valuable information for criminals planning a burglary.
Another concern is that it allows for localized spying by unethical people with power. For example, employers could check employee’s location, how far they are from the desk, and determine how long they have been away from their desk, and potentially use this to punish people.
This vulnerability joins a group of Android vulnerabilities allowing for information leakage. More needs to be done to protect user’s data from potential targeted leaks by attackers. Users are becoming increasingly concerned with the protection of their data, and so company’s need to be vigilant in meeting this demand by patching vulnerabilities as and when they crop up. The vulnerability remains unpatched.