Security researchers have found a way to sniff Android system broadcasts to expose Wi-Fi connection information to attackers.
Tracked as CVE-2018-9489, the issue was discovered by Nightwatch Cybersecurity and published yesterday. If you can, upgrade to Android 9 (Pie), because there’s no plan to fix older versions.
What they found was that the system broadcasts spaff “Wi-Fi network name, BSSID, local IP addresses, DNS server information and the MAC address” to any application running on the device, even though this is supposed to be protected information, “bypassing any permission checks and existing mitigations”.
The reason older Android versions won’t get a fix, the post claimed, is that Google said it would break older APIs.
The problem is in how application developers use what Android calls “intents” for inter-process communication. The Nightwatch post explained: “While functionality exists to restrict who is allowed to read such messages, application developers often neglect to implement these restrictions properly or mask sensitive data”.