My personal concern for this subject is that I don't want my apps to be able to fingerprint me based on available networks' SSIDs and MAC addresses. First, let me cite a few quotes.
- Daniel M asserts that wifi scanning is impossible without location permissions enabled on an app.
Location data including nearby Wi-Fi networks isn't available without the Location permission. Some things need a combination of multiple permissions. Wi-Fi control permission doesn't give access to any sensitive location data without the Location permission too.
- @muhomorr claims that
CHANGE_WIFI_STATE
is auto-granted, so the GOS user cannot disable that permission.
"Wi-Fi control" special access permission maps to OP_CHANGE_WIFI_STATE
app-op, which is separate from the CHANGE_WIFI_STATE
permission. CHANGE_WIFI_STATE
permission has normal protection level, ie it's auto-granted and cannot be denied by the user. Many of Wi-FI APIs (WiFiP2p, WiFiRtt, WiFiAware etc), check only CHANGE_WIFI_STATE
and not OP_CHANGE_WIFI_STATE
- This android developer document on wifi scanning claims that the
ACCESS_WIFI_STATE
permission is sufficient to invoke WifiManager.getScanResults()
.
A successful call to WifiManager.getScanResults() requires any one of the following permissions:
- ACCESS_FINE_LOCATION
- ACCESS_COARSE_LOCATION
- CHANGE_WIFI_STATE
- The android developer reference on
WifiManager.getScanResults
claims that both location permission and CHANGE_WIFI_STATE
are needed to receive the output of a wifi scan, though.
An app must hold ACCESS_FINE_LOCATION
permission and Manifest.permission.ACCESS_WIFI_STATE
permission in order to get valid results.
WifiManager.getScanResults
gives the caller a full list of ScanResult
objects, including SSIDs but also hardware addresses of the access points, frequency bands, and other highly unique identifying information. So the goal for a fingerprinting-adverse user is to limit which apps can invoke this method.
So quotes (1) and (4) seem to line up, but they contradict quotes (2) and (3): If apps are "auto-granted" the CHANGE_WIFI_STATE
permission on-demand, and that permission gives access to WiFiManager.getScanResults
, then how is access to nearby WiFi AP lists be protected by location permission?
I figure @muhomorr and Daniel are probably correct, and it's the android docs for wifi-scanning (3) which are mistaken, especially given the contradiction between (3) and (4).
The only way to know for sure though seems to be to test it with a real app, which I hope the GOS devs have done. Give it location + wifi-control permission and verify it can call WifiManager.getScanResults
. Then disable the location permission and verify that method now throws an exception. I would love if any GOS devs can confirm this was checked.