A years-old privacy flaw will finally be coming to an end on Android. Many users may not notice the flaw. The flaw is any app can monitor your network activity without your knowledge or permission to see when you connect with a competing app, or perhaps worse. The Android apps can gain full access to your online activities on your device. Though they can’t detect the content of your network calls, but they can sniff any outgoing or incoming connection via TCP/UDP to determine if you are connecting to a certain server. For example, an Android app has the ability to detect when another app on your device connects to a financial institution’s server. Those apps also tell when those apps are connecting to the Internet and where they are connecting to. Apps like Facebook, Twitter, and other social media apps could use this to track your network activity without your knowledge. Obviously, this is a serious privacy bug.
Luckily, a new task has appeared in the Android Open Source Project to “start the process of locking down proc/net.” /proc/net contains a bunch of output from the kernel related to network activity. According to XDA Developers’ report, access to some of your sensitive information will be restricted with the new changes coming to Android’s SELinux rules. Only designated VPN apps can get access to some networking information as the change applies to the SELinux rules of Android P. Other applications seeking access will be audited by the system. For compatibility purposes, it appears that apps targeting API levels < 28 will still have access for now. This means that until 2019 when apps will have to target API level 28, most apps will still have unrestricted access. It is great to see Google finally restrict access to /proc/net after many years of unrestricted access. It’s a very small change that users are unlikely to notice, but the implications for user privacy will be massive. We just hope that this fix is backported for earlier Android versions so it can be applied in a monthly security patch update.
Published by Emerson L. Sullivan & last updated on May 7, 2018 11:22 am