updated 05:35 pm EDT, Thu July 3, 2014
Foundation discovers phones less than three years old broadcasting visited locations
Recently, the Internet advocacy and legal group the Electronic Frontier Foundation (EFF) discovered that a number of Android devices could be sharing location information when not connected to Wi-Fi. The Android phones in question periodically send out information on Wi-Fi networks it knows in order to speed up the process of connecting. However, in doing so it gives off previous location data based on stored wireless networks in "human language."
The root of the problem stems from the Preferred Network Offload (PNO) feature that was introduced with Android 3.1 Honeycomb. The theory behind PNO is that allows devices to connect and maintain connections over Wi-Fi when they kick into low-power modes, such as the screen turning off. This helps to save power, and limits data usage.
"To our dismay, we discovered that many of the modern Android phones we tested leaked the names of the networks stored in their settings (up to a limit of 15)," said the EFF's Peter Eckersely and Jeremy Gillula. "And when we looked at these network lists, we realized that they were, in fact, dangerously precise location histories."
Information obtained from the Wi-Fi data could be seen as a greater threat than other location data issues, since there is little to no effort involved if someone is monitoring for that information and in range. With the network information stated plainly, locations can be traced back using their names. The process of extrapolating locations previously was more complicated, leaving a malicious party to sort through longitude and latitude history. Cleverly-named wireless networks may not be enough, as the EFF points out there are still ways to look them up online.
The code for PBO ties into an open source project, wpa_supplicant, which Linux and Android use for Wi-Fi management. Once the issue was confirmed on a number of devices, the EFF contacted Google over the problem. Google responded, indicating that it takes the security of user's location data seriously. However, since the problem is tied to user connectivity, the company needs to investigate.
Yesterday, Google issued a patch to wpa_supplicant, but it will take some time to see it in Android code. Even if included in future updates, other devices may be left behind that are no longer supported or had no support from Google in the first place. Presuming that earlier versions of Android also have the issue, more than 20 percent of all Android devices or more could be affected. By comparison, possibly three percent of iOS users are still on iOS 5 or lower.
In the course of testing, the EFF indicated that Android wasn't the only platform with the problem, but it currently appears "to pose the greatest privacy risk at the moment." Apple devices with iOS 6 and 7 were found to be free of the problem, but iOS 5 showed the same issue as Android. The Wi-Fi leak also extends to OS X and Windows 7 laptops.