YOUR ANDROID DEVICE could be telling the world where you are and where you've been.
According to a report by the Electronic Frontier Foundation (EFF), a vulnerability introduced in Android 3.1 Honeycomb means that anyone can use your WiFi connection to get a coherent overview of your location and travels.
Preferred Network Offload (PNO) is a service within Android that allows the phone to search for and connect to WiFi networks, even while the screen is switched off. The result is reduced battery consumption and lower data usage, however it comes at a price.
A device with PNO activated that isn't connected to a WiFi network can be intercepted by anyone within WiFi range. The hacker can then read a list of the last 15 WiFi networks (SSID) that the device has last connected to. This will include public WiFi hotspots with plain English names to which the service has connected but not actually logged in, for example "Pub Chain - Croydon" or "Tommy's Coffee Public WiFi".
Putting that information together, along with saved private WiFi credentials, creates an eerily accurate map of the phone's movements.
Although most chains anonymise their SSIDs to a generic name, such as the name of the provider - for example, The Cloud - or the chain - for example, Starbucks - the MAC address is also shown and therefore is traceable with a bit of extra digging.
A Google spokeman told the EFF, "We take the security of our users' location data very seriously and we're always happy to be made aware of potential issues ahead of time. Since changes to this behaviour would potentially affect user connectivity to hidden access points, we are still investigating what changes are appropriate for a future release."
In the meantime the EFF, which recently launched a lawsuit against the National Security Agency (NSA) for withholding information about zero-day security flaws, suggested disabling the PNO feature under advanced WiFi settings, acknowledging that it might cost a bit more in data charges and battery life, but it also warned that not even this worked on some handsets, citing US-only Motorola phone the Droid 4 as an example.
At present, the recently announced Android L mobile operating system is still under development, so we might yet see a fix in the final release. µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted