A newly discovered vulnerability affects all versions of Android except for the recently released Android 9 Pie. (Image Source: Bloomberg)
All Android devices, barring those running on Android 9 Pie, are vulnerable to detection via a security flaw that lets apps disclose device details. According to a report from research firm Nightwatch Cybersecurity, the flaw affects all versions of Android, including forks (such as Amazon’s FireOS for the Kindle) except for Android 9 Pie.
“The vendor (Google) fixed these issues in Android P / 9 but does not plan to fix older versions. Users are encouraged to upgrade to Android P / 9 or later,” Nightwatch notes.
The research firm says apps present on Android devices can override barriers, like seeking user permission, in order to reveal device details. In the process, information like local IP address, Wi-Fi network names, BSSID, and MAC addresses can be disclosed. Of these, media access control (MAC) addresses are hardware-specific, and can track any device, even if a user applies MAC address randomisation. On Android 6.0 Marshmallow and below, MAC addresses cannot be found via APIs, and would need extra permissions to be accessed. In addition, access to network names and the BSSID (basic server set ID) can geo-locate a user, and can be tracked back through databases.
The Android OS provides access to user information between the device user and app developers through two modes. One is called ‘Intents’, wherein app developers send out inter-process communications to third parties, but developers must restrict access to select recipients. Since most developers are known to provide unrestricted access to ‘Intents’, the extent to which third-party data is being misused is unknown.
On the user end, Android apps need to take ‘Permissions’, wherein users must accept providing access to features like location access, contact list, front cameras, etc. Depending on the severity of the request, apps send some ‘Permission’ notices to users, while others get bypassed. As per the report, the best way for Android users to avoid being tracked is to upgrade to Android 9.0 Pie.