Android device details are being exposed to running applications via Wi-Fi broadcasts in the mobile operating system, Nightwatch Cybersecurity has discovered.

The exposed information includes the WiFi network name, BSSID, local IP addresses, DNS server information, and the MAC address. Normally, extra permissions are required to access such details, but Wi-Fi broadcasts allow all applications to capture the information, thus bypassing existing mitigations.

Furthermore, Nightwatch Cybersecurity’s researchers argue that the MAC address, which is tied to the hardware, can be used to “uniquely identify and track any Android device.” Information such as network name and BSSID allow for the geolocation of users, while other information can be leveraged for other attacks.

Tracked as CVE-2018-9489, the vulnerability was addressed in the recently released Android 9, but previous platform iterations continue to be impacted, ths security firm says. Thus, all devices running under those OS versions, including forks such as Amazon’s FireOS for the Kindle, are believed to be vulnerable.

The issue, the security researchers say, is that application developers neglect to implement restrictions or mask sensitive data when it comes to the use of “Intents” in their applications. These Intents are system-wide messages that both apps and the OS can send, and which other applications can listen to.

The Android platform, the security researchers explain, regularly broadcasts information about the WiFi connection and the WiFi network interface and uses WifiManager’s NETWORK_STATE_CHANGED_ACTION and WifiP2pManager’s WIFI_P2P_THIS_DEVICE_CHANGED_ACTION Intents for that.

“This information includes the MAC address of the device, the BSSID and network name of the WiFi access point, and various networking information such as the local IP range, gateway IP and DNS server addresses. This information is available to all applications running on the user’s device,” the researchers note.

Applications looking to access the information via the WifiManager would normally require the “ACCESS_WIFI_STATE” permission in the application manifest. Apps looking to access geolocation via WiFi require the “ACCESS_FINE_LOCATION” or “ACCESS_COARSE_LOCATION” permissions.

Vag COM , TCS CDP , VAS5054A , GM Tech2 , Iprog+ Programmer , Orange 5 programmer , SBB3 PRO3 Key Programmer , wiTech MicroPod II , T300+ Key Programmer, Iprog, Scania VCI3, mercedes star diagnostic, Porsche Piwis, vocom 88890300, Renault CAN Clip, SBB Key Programmer, NEXIQ USB Link

Applications listening for system broadcasts, however, don’t need these permissions and can capture the details without user’s knowledge. They can even capture the real MAC address, although it is no longer available via APIs on Android 6 or higher.

“We performed testing using a test farm of mobile device ranging across multiple types of hardware and Android versions. All devices and versions of Android tested confirmed this behavior, although some devices do not display the real MAC address in the “NETWORK_STATE_CHANGED_ACTION” intent but they still do within the “WIFI_P2P_THIS_DEVICE_CHANGED_ACTION” intent,” the researchers said.

Given that Google addressed the issue in Android 9 only, users are encouraged to upgrade to this platform iteration to ensure they remain protected.

安卓系统广播暴露设备信息-Android System Broadcasts Expose Device Information的更多相关文章

  1. MDNS的漏洞报告——mdns的最大问题是允许广域网的mdns单播查询,这会暴露设备信息,或者被利用用于dns放大攻击

    Vulnerability Note VU#550620 Multicast DNS (mDNS) implementations may respond to unicast queries ori ...

  2. UWP 应用获取各类系统、用户信息 (2) - 商店授权信息、零售演示模式信息、广告 ID、EAS 设备信息、硬件识别信息、移动网络信息

    应用开发中,开发者时常需要获取一些系统.用户信息用于数据统计遥测.问题反馈.用户识别等功能.本文旨在介绍在 Windows UWP 应用中获取一些常用系统.用户信息的方法.示例项目代码可参见 Gith ...

  3. 【转】android 安卓APP获取手机设备信息和手机号码的代码示例

    http://blog.csdn.net/changemyself/article/details/7421476 下面我从安卓开发的角度,简单写一下如何获取手机设备信息和手机号码 准备条件:一部安卓 ...

  4. android 安卓APP获取手机设备信息和手机号码的代码示例

    下面我从安卓开发的角度,简单写一下如何获取手机设备信息和手机号码 准备条件:一部安卓手机.手机SIM卡确保插入手机里.eclipse ADT和android-sdk开发环境 第一步:新建一个andro ...

  5. C#:基于WMI查询USB设备信息 及 Android设备厂商VID列表

    /* ---------------------------------------------------------- 文件名称:WMIUsbQuery.cs 作者:秦建辉 MSN:splashc ...

  6. Android 获取设备信息 异常

    /**获取设备信息 * @param c * @return */ public static void setDeviceInfo(Context c,RequestParams params){ ...

  7. iOS开发的另类神器:libimobiledevice开源包【类似android adb 方便获取iOS设备信息】

    简介 libimobiledevice又称libiphone,是一个开源包,可以让Linux支持连接iPhone/iPod Touch等iOS设备.由于苹果官方并不支持Linux系统,但是Linux上 ...

  8. Android 开发 获取设备信息与App信息

    设备信息 设备ID(DeviceId) 获取办法 android.telephony.TelephonyManager tm = (android.telephony.TelephonyManager ...

  9. js判断设备信息,安卓、ios、还是pc端

    前端开发获取设备信息的代码if (/(iPhone|iPad|iPod|iOS)/i.test(navigator.userAgent)) { window.location.href =" ...

随机推荐

  1. 剑指offer数组1

    面试题3:数组中重复的数字 在一个长度为n的数组里的所有数字都在0到n-1的范围内. 数组中某些数字是重复的,但不知道有几个数字是重复的.也不知道每个数字重复几次.请找出数组中任意一个重复的数字. 例 ...

  2. scrapy相关:splash安装 A javascript rendering service 渲染

    0. splash: 美人鱼  溅,泼 1.参考 Splash使用初体验 docker在windows下的安装 https://blog.scrapinghub.com/2015/03/02/hand ...

  3. labview出现系统998错误

    1.环境:xp,labview2015, 2.经过:初始状态正常,系统需要运行2016的打包的程序,运行不了,后下载了一个2016打包后的程序,点击安装,未提示异常.桌面添加了快捷方式,点击快捷方式, ...

  4. 全文搜索引擎Elasticsearch入门实践

    全文搜索引擎Elasticsearch入门实践 感谢阮一峰的网络日志全文搜索引擎 Elasticsearch 入门教程 安装 首先需要依赖Java环境.Elasticsearch官网https://w ...

  5. Eclipse导入maven项目时,pom-xml文件报错处理方法

    报错如下: Cannot read lifecycle mapping metadata for artifact org.apache.maven.plugins 解决方法: 出现该错误是因为jar ...

  6. Everything at Once

    Everything at Once As sly as a fox as strong as an ox ♥ sly 英 [slaɪ] 美 [slaɪ] adj. 狡猾的:淘气的:诡密的 比较级 s ...

  7. XVIII Open Cup named after E.V. Pankratiev. Grand Prix of Korea

    A. Donut 扫描线+线段树. #include<cstdio> #include<algorithm> using namespace std; typedef long ...

  8. css 颜色表示法

    css颜色值主要有三种表示方法: (1)颜色名表示,如:red红色,gold金色 (2)rgb表示,如:rgb(255,0,0)表示红色 (3)16进制数值表示,如:#ff0000表示红色,这种可以简 ...

  9. Ubuntu 安装 Redis和phpredis扩展

    服务器Ubuntu16.04 环境php7.0+Apache /****************************开始安装Redis****************************/ 1 ...

  10. oracle中的listener.ora和tnsnames.ora

    一.oracle的客户端与服务器端 oracle在安装完成后服务器和客户端都需要进行网络配置才能实现网络连接.    服务器端配置监听器,客户端配置网络服务名. 服务器端可配置一个或多个监听程序 . ...