Your Android Phone Is Telling the World Where You've Been
Your new Android phone may be broadcasting your location history to anyone within Wi-Fi range that wants to listen, even when your phone's screen is off and it's not connected to a Wi-Fi network, the Electronic Frontier Foundaton discovered.
This location history comes in the form of the names of wireless networks your phone has previously connected to -- for example, your home's Wi-fi network. EFF says that this data is dangerous because it clearly denotes in human language places that you've spent enough time to use the Wi-Fi.
EFF discovered that many of the modern Android phones leaked the names of the networks stored in their settings (up to a limit of fifteen).
Some other platforms also suffer from this problem although for various reasons, EFF says Android devices appear to pose the greatest privacy risk at the moment.
EFF traced this behavior to feature introduced in Android Honeycomb (Android 3.1) called Preferred Network Offload (PNO). PNO is supposed to allow phones and tablets to establish and maintain Wi-Fi connections even when they're in low-power mode (i.e. when the screen is turned off). The goal is to extend battery life and reduce mobile data usage, since Wi-Fi uses less power than cellular data. But for some reason, even though none of the Android phones EFF tested broadcast the names of networks they knew about when their screens were on, many of the phones running Honeycomb or later (and even one running Gingerbread) broadcast the names of networks they knew about when their screens were turned off.
Responding th EFF's finding, Google said:
"We take the security of our users' location data very seriously and we're always happy to be made aware of potential issues ahead of time. Since changes to this behavior would potentially affect user connectivity to hidden access points, we are still investigating what changes are appropriate for a future release."
Additionally, a Google employee submitted a patch to wpa_supplicant which fixes this issue.
A workaround is available for users who want to protect their privacy right now: go into your phone's "Advanced Wi-Fi" settings and set the "Keep Wi-Fi on during sleep" option to "Never". Unfortunately this will cause a moderate increase in data usage and power consumption.
EFF discovered that many of the modern Android phones leaked the names of the networks stored in their settings (up to a limit of fifteen).
Some other platforms also suffer from this problem although for various reasons, EFF says Android devices appear to pose the greatest privacy risk at the moment.
EFF traced this behavior to feature introduced in Android Honeycomb (Android 3.1) called Preferred Network Offload (PNO). PNO is supposed to allow phones and tablets to establish and maintain Wi-Fi connections even when they're in low-power mode (i.e. when the screen is turned off). The goal is to extend battery life and reduce mobile data usage, since Wi-Fi uses less power than cellular data. But for some reason, even though none of the Android phones EFF tested broadcast the names of networks they knew about when their screens were on, many of the phones running Honeycomb or later (and even one running Gingerbread) broadcast the names of networks they knew about when their screens were turned off.
Responding th EFF's finding, Google said:
"We take the security of our users' location data very seriously and we're always happy to be made aware of potential issues ahead of time. Since changes to this behavior would potentially affect user connectivity to hidden access points, we are still investigating what changes are appropriate for a future release."
Additionally, a Google employee submitted a patch to wpa_supplicant which fixes this issue.
A workaround is available for users who want to protect their privacy right now: go into your phone's "Advanced Wi-Fi" settings and set the "Keep Wi-Fi on during sleep" option to "Never". Unfortunately this will cause a moderate increase in data usage and power consumption.