Mobile Security
Image from

Security pros have enough to worry about if their staff have Android devices. Here’s another: The Electronic Frontier Foundation says there’s a high risk the device is broadcasting its location history if it isn’t connected to a Wi-Fi network.

In a posting this week on its Web site,  the vulnerability sends out places you’ve connected to previously. That may not be important if it’s a coffee shop or an airport, or, it is if it’s a place you’d rather people not know about. What makes this a problem is that the locations are broadcast in plain text.

“Location history is extremely sensitive information,” write authors Peter Eckersley and Jeremy Gillula. “We urge Google to ship their fix as soon as possible, and other Android distributors to offer prompt updates containing it.”

In response Google says it is looking into the issue and may make changes in a future Android release.

Other mobile platforms also have this vulnerability, the authors say.

“In Android we traced this behavior to a feature introduced in Honeycomb (Android 3.1) called Preferred Network Offload (PNO). 3 PNO is supposed to allow phones and tablets to establish and maintain Wi-Fi connections even when they’re in low-power mode (i.e. when the screen is turned off). The goal is to extend battery life and reduce mobile data usage, since Wi-Fi uses less power than cellular data. But for some reason, even though none of the Android phones we tested broadcast the names of networks they knew about when their screens were on, many of the phones running Honeycomb or later (and even one running Gingerbread) broadcast the names of networks they knew about when their screens were turned off.”

The authors offer a workaround that works on some handsets: Go into Advanced Wi-Fi setting and set the Keep Wi-Fi on during sleep to “Never.” That will, however, cause a “moderate” increase in data and power consumption.

Other solutions include manually deleting the networks you don’t want to broadcast, or, to be really safe, turn Wi-Fi off when you’re not connected to a network.