Hacker News new | comments | ask | show | jobs | submit login

Android also had an issue where an app could deceive a user by requesting the permission to manage WiFi (CHANGE_WIFI_STATE) which is considered non-dangerous ("normal") [1] and is granted automatically without any prompts [2]:

> If your app lists normal permissions in its manifest (that is, permissions that don't pose much risk to the user's privacy or the device's operation), the system automatically grants those permissions to your app.

But the app could use it to determine user's location (by scanning for WiFI access points identifiers) without any notification. So the user wouldn't realise that the app now knows their location.

You can see it in the docs [3]:

> Android 8.0 and Android 8.1:

> A successful call to WifiManager.getScanResults() requires any one of the following permissions:

> CHANGE_WIFI_STATE

So this issue was fixed only on Android 9, and had been working for years. Any application could secretly determine your location. That's the state of privacy protection on Android. It is difficult to believe that Google developers who are very smart people couldn't foresee it for years.

I googled a little and found a confirmation that this method was working: [4]

[1] https://developer.android.com/reference/android/Manifest.per...

[2] https://developer.android.com/guide/topics/permissions/overv...

[3] https://developer.android.com/guide/topics/connectivity/wifi...

[4] https://blog.trustlook.com/2015/06/02/how-apps-tracking-your...




That's the state of privacy protection on Android. It is difficult to believe that Google developers who are very smart people couldn't foresee it for years.

“It’s difficult to get a man to understand something when his salary depends on him not understanding it”.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: