The names of the WiFi networks to which you connect probably say a lot about you. Did you just come back from an airport? Do you work at X company? Do you spend your days at Y cafe? Your Android phone might be broadcasting this information for anyone within WiFi range to see, according to research by the Electronic Frontier Foundation (EFF), a San Francisco-based nonprofit that advocates digital privacy.
Some Android devices running the Android operating system version 3.1 (Honeycomb) or later broadcast the names of the last 15 WiFi networks to which that device connected — even when the device’s screen is turned off, the EFF found. Google already appears to be working on a fix for the issue, and in the meanwhile you can take some simple steps to prevent this data leakage from happening.
This issue could be especially serious if the WiFi networks have revealing names, because then anyone within WiFi range of your phone might discover your name (from your home network) your workplace (from your work network), or any other schools, restaurants, doctor’s offices, airports, and other locations you recently visited.
This behavior is part of an Android feature found in Android 3.1 and later, the EFF wrote on its blog. Called Preferred Network Offload (PNO), it was designed to help phones connect to WiFi networks even in low-power mode. PNO is itself built using an open-source piece of software called “wpa_supplicant” used in several Linux distributions, of which Android is one.
However, not all Android phones leak the previous 15 WiFi network names. The Samsung Galaxy S series does not, for example (though the EFF apparently did not test the Samsung Galaxy S5). Phones that are affected include the HTC One, the Nexus 4 and 5, the Samsung Galaxy Nexus and the Motorola Droid 3 and 4.
The EFF also tested iOS devices and found that iOS 6 and 7 devices did not experience similar issues. However, one of several iPads running iOS 5 did.
It’s not just Android devices, either: “Many laptops are affected, including all OS X laptops and many Windows 7 laptops.” However, EFF considers laptops to be less of a privacy threat, since they are not continuously on while people walk around with them.
Google released a response to EFF’s findings, saying: “We take the security of our users’ location data very seriously and we’re always happy to be made aware of potential issues ahead of time. Since changes to this behavior would potentially affect user connectivity to hidden access points, we are still investigating what changes are appropriate for a future release.”
In the meanwhile, the EFF says you can plug up this WiFi hole by going into your phone’s Advanced Wi-Fi settings (it’s different on different models of Androids) and changing the Keep Wi-Fi on during sleep setting to Never.
However, this technique did not work on the Motorola Droid 4 running Android 4.1.2. In that case, EFF says you would need to make the phone “forget” each WiFi network by tapping the WiFi network’s name and selecting Forget. Manually turning off the phone’s WiFi, or installing an app that will automatically turn WiFi off for you, will do the trick as well.