A feature introduced in Android 3.1 (Honeycomb) that allows the device to seek familiar WiFi and switch to them from mobile data in order to save battery broadcasts the WiFi connection history in the case of some phones, thus allowing for location tracking.
The researchers at the Electronic Frontier Foundation (EFF) found that the devices emit the information even in low-power mode. Other mobile platforms are also affected by this problem, though.
Preferred Network Offload (PNO) is a feature that scans the background environment in search of a WiFi connection that has been used in previous occasions. This way, it can save battery life and mobile data cost.
The trouble is that this information can be intercepted by anyone within the WiFi range and used to determine the places the owner of the device spent long enough time to use the WiFi connection for accessing the Internet.
“Normally eavesdroppers would need to spend some effort extracting this sort of information from the latitude/longitude history typically discussed in location privacy analysis,” says the EFF article. But by broadcasting the SSIDs (service set identifiers), the phone provides them with clear information about the last 15 WiFi destinations, without having to process the details.
EFF tested multiple Android devices and found that not all of them leak the details about the WiFi connections used, Samsung Galaxy Mini, S3, S4, HTC One Mini or Motorola Droid 1 being among them.
However, a large number of Nexus devices (4, 5 and Samsung Galaxy), along with HTC One, and Motorola Droid 3 and 4, do broadcast the information. Most of these devices were running on Android 4.1 and up, but the bad habit was also recorded on a smartphone with version 2.3.4 of the mobile operating system.
One of the odd things in the research was the fact that none of the devices tested would broadcast the info when the display would be turned on. “But for some reason, even though none of the Android phones we tested broadcast the names of networks they knew about when their screens were on, many of the phones running Honeycomb or later (and even one running Gingerbread) broadcast the names of networks they knew about when their screens were turned off,” says the EFF blog post.
The matter was reported to Google and they replied saying that they were looking into the types of changes that could be implemented in future versions of the operating system in order to eliminate the location tracking risk.
EFF notes that a patch to “wpa_supplicant” recently submitted by a Google employee fixes the problem and needs to be integrated into the downstream Android code.
Users can protect against this type of snooping by turning off WiFi from the advanced section of the WiFi settings when the device is in sleep mode. This may not work on all types of Android brands though, and the disadvantage is that it increases mobile data usage.