A years-old privacy flaw will finally be coming to an end on Android. It’s an issue you’ve probably never heard of, but one that you should absolutely be concerned about. Currently, apps on Android can gain full access to the network activity on your device—even without asking for any sensitive permissions. These apps can’t detect the content of your network calls, but they can sniff any outgoing or incoming connection via TCP/UDP to determine if you are connecting to a certain server. For instance, an app can detect when another app on your device connects to a financial institution’s server. Don’t believe me? Just download one of the many netstat apps on the Play Store and see for yourself.
Netstat Plus app detecting that my phone connected to Chase Bank.
Any app could detect not only what other apps on your device are connecting to the Internet, but they could also tell when those apps are connecting to the Internet and where they are connecting to. Obviously, this is a serious privacy hole that Google is finally addressing, but the malware implications are also pretty serious (we’re not going to go into further details as to not give anyone ideas.) I’ve heard of a few shady apps on the Play Store using this method to detect when you connect to services that they disapprove of. Apps like Facebook, Twitter, and other social media apps could use this to track your network activity without your knowledge.
Fixes coming to Android P
A new commit has appeared in the Android Open Source Project to “start the process of locking down proc/net.” /proc/net contains a bunch of output from the kernel related to network activity. There’s currently no restriction on apps accessing /proc/net, which means they can read from here (especially the TCP and UDP files) to parse your device’s network activity. You can install a terminal app on your phone and enter
cat /proc/net/udp to see for yourself.
But thanks to new changes coming to Android’s SELinux rules, access to some of this information will be restricted. In particular, the change applies to the SELinux rules of Android P and it means that only designated VPN apps can get access to some of these files. Other applications seeking access will be audited by the system. For compatibility purposes, it appears that apps targeting API levels < 28 will still have access for now. This means that until 2019 when apps will have to target API level 28, apps will still have unrestricted access.
We’ll likely see this change land in a future Android P Developer Preview. If you are using a custom ROM such as CopperheadOS, then you’re already secure as these SELinux changes have been made years ago. We’re glad to see Google finally restrict access to /proc/net after many years of unrestricted access. It’s a very small change that users are unlikely to notice, but the implications for user privacy will be massive. We just hope that this fix is backported for earlier Android versions so it can be applied in a monthly security patch update.
Correction: the initial version of this article reported that the fixes would be coming to Android 7.1+. After discussing with developers well-versed in SELinux, it appears that the change applies to apps targeting API level and 28 on Android P rather than actually backporting the fixes to Nougat.