Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Android System Broadcasts Expose Device Information

Android device details are being exposed to running applications via Wi-Fi broadcasts in the mobile operating system, Nightwatch Cybersecurity has discovered.

Android device details are being exposed to running applications via Wi-Fi broadcasts in the mobile operating system, Nightwatch Cybersecurity has discovered.

The exposed information includes the WiFi network name, BSSID, local IP addresses, DNS server information, and the MAC address. Normally, extra permissions are required to access such details, but Wi-Fi broadcasts allow all applications to capture the information, thus bypassing existing mitigations.

Furthermore, Nightwatch Cybersecurity’s researchers argue that the MAC address, which is tied to the hardware, can be used to “uniquely identify and track any Android device.” Information such as network name and BSSID allow for the geolocation of users, while other information can be leveraged for other attacks.

Tracked as CVE-2018-9489, the vulnerability was addressed in the recently released Android 9, but previous platform iterations continue to be impacted, ths security firm says. Thus, all devices running under those OS versions, including forks such as Amazon’s FireOS for the Kindle, are believed to be vulnerable.

The issue, the security researchers say, is that application developers neglect to implement restrictions or mask sensitive data when it comes to the use of “Intents” in their applications. These Intents are system-wide messages that both apps and the OS can send, and which other applications can listen to.

The Android platform, the security researchers explain, regularly broadcasts information about the WiFi connection and the WiFi network interface and uses WifiManager’s NETWORK_STATE_CHANGED_ACTION and WifiP2pManager’s WIFI_P2P_THIS_DEVICE_CHANGED_ACTION Intents for that.

“This information includes the MAC address of the device, the BSSID and network name of the WiFi access point, and various networking information such as the local IP range, gateway IP and DNS server addresses. This information is available to all applications running on the user’s device,” the researchers note.

Applications looking to access the information via the WifiManager would normally require the “ACCESS_WIFI_STATE” permission in the application manifest. Apps looking to access geolocation via WiFi require the “ACCESS_FINE_LOCATION” or “ACCESS_COARSE_LOCATION” permissions.

Applications listening for system broadcasts, however, don’t need these permissions and can capture the details without user’s knowledge. They can even capture the real MAC address, although it is no longer available via APIs on Android 6 or higher.

“We performed testing using a test farm of mobile device ranging across multiple types of hardware and Android versions. All devices and versions of Android tested confirmed this behavior, although some devices do not display the real MAC address in the “NETWORK_STATE_CHANGED_ACTION” intent but they still do within the “WIFI_P2P_THIS_DEVICE_CHANGED_ACTION” intent,” the researchers said.

Given that Google addressed the issue in Android 9 only, users are encouraged to upgrade to this platform iteration to ensure they remain protected.

Related: Many Android Devices Ship with ADB Enabled

Related: Google Turns TLS on By Default on Android P

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.