What access does the Nearby Devices permission grant?

AcclaimSublevel19

I tried to make a call with from a messaging app I use and because I have a Bluetooth headset connected, it asked for the Nearby Devices permission. I revoked it now that the call is over. My question is: does this permission weaken my privacy and/or security? Should I leave it on permanently?

Probably9857

AcclaimSublevel19

Not sure if this is generally applicable, but I have denied every app that asks for this permission, including VOIP apps and music players.

My BT headphones still worked in every case so far.

A legitimate use for this permission is network location. I basically assume every other app that wants it is trying to track my location without explicitly requesting that permission. (Not saying that is true...just that I prefer to err on the side of caution.)

de0u

AcclaimSublevel19 The Android Bluetooth stack (which I believe is largely the Linux Bluetooth stack) is somewhat unstable and plausibly offers a fair amount of attack surface, so having it off when you're not using it is arguably prudent. The baseline Android protocol doesn't support MAC randomization, so using Bluetooth will often leak a largely-permanent device identifier to nearby observers. This is all independent of any particular app's interest in Bluetooth information.

With respect to the particular app (not named so far), it's not clear why it should demand the Nearby Devices permission. Perhaps it's just sloppy coding (see "Hanlon's Razor"). The reason for the permission is that apps with sufficient access to Bluetooth could use scanned Bluetooth MAC addresses to determine a device's location even without the Location permission. Personally I don't think I'd leave Nearby Devices on for that app permanently, and I might try to avoid using the app at all.

Maybe ask the app authors what's going on?

AcclaimSublevel19

Interesting. The app refused to work without it. I wish more permissions had ask every time. For this particular app that I don't trust (but everybody uses and all my other options are by Meta, so I chose the least bad), I've made it explicitly ask for microphone permission every time. It seems to be well behaved in that sense (i.e. it only asks for the permission when I initiate a call).

AcclaimSublevel19

Hey @de0u, thanks for the detailed answer!

de0u The baseline Android protocol doesn't support MAC randomization, so using Bluetooth will often leak a largely-permanent device identifier to nearby observers. This is all independent of any particular app's interest in Bluetooth information.

Yeah, that makes sense. I've set it to automatically turn off after 5 minutes of inactivity and I normally turn it off manually once I'm done with it anyway. Honestly if someone wanted to track me, Bluetooth would probably be the least reliable way of doing so, so it's not really a part of my threat model.

de0u With respect to the particular app (not named so far), it's not clear why it should demand the Nearby Devices permission. Perhaps it's just sloppy coding (see "Hanlon's Razor").

It seemed unusual to me as well, that's why I decided to ask here. At least it's only required for using my bluetooth headset and not for all functionality. I guess I'll be walking around with wired headphones more often.

de0u Personally I don't think I'd leave Nearby Devices on for that app permanently, and I might try to avoid using the app at all.

Sounds like a good idea. I wish I didn't need to use the app but I have no other choice in my country, almost everyone uses it (or a couple other much worse apps).

AcclaimSublevel19

BTW how do I mark this thread as solved?