Android 6.0 Improves Wi-Fi Privacy

Last night (October 8, 2015), I checked my Nexus 5 to see if Android 6.0 (Marshmallow) was available, as I wanted the new permissions manager and the longer battery life that are in 6.0. I upgraded my phone to build MRA58K and “Android security patch level” “October 1, 2015” without incident. When I started looking through the permissions manager, none of the applications showed a permission for WiFi; Best WiFi showed no permission requests, and WiFi Analyzer only showed storage. A quick test showed that WiFi Analyzer no longer shows signal graphs; I sent a note to farproc, the firm that does WiFi Analyzer, and got a note back that in Android 6.0, location services must be turned on in order for Wi-Fi scanning to work (he plans to add a prompt). I turned location services on and it works as before. Best WiFi does not appear to work, but the function looks like it has been added to the base Android, as my phone switched access points as I moved around the house.

After spending some time with the Android 6.0 APIs, I think the big news in this release are privacy and security improvements that go far beyond the ability to turn permissions off at the application level.

The article is divided into the following sections:

How WiFi has Changed in Android 6.0

In looking through permissions (and turning off a few), I noticed that there were a number of apps that had previously shown a permission for accessing WiFi information; this can be used to get an approximate location and identification through the MAC address of the WiFi adapter. It looks like this API has changed in Android 6.0. For more information on how the WiFi permissions were abused, see 12 Most Abused Android App Permissions on the Trend Micro site.

The Android 6.0 API section Wi-Fi and Networking Changes indicates that apps can still create network objects, but cannot access objects created by other applications.

“Best WiFi” Function is Now in Base Android

The Best WiFi app is one of the most useful apps around–when the signal strength gets below a threshold that you set, it automatically switches to a stronger SSID that is in your list of defined SSIDs. If you have to have multiple access points to cover your whole house, this is wonderful. Much to her chagrin, my wife’s iPhone does not do this, nor are then any apps to do this.

This function has been included in Android 6.0, as my phone now switches between access points even after I uninstalled Best WiFi. This is a great addition to the base Android. I thank the author of Best WiFi for writing one of the most useful apps, and one that I will continue to use on some older Android devices.

“WiFi Analyzer” Requires Location Services

WiFi Analyzer is an extremely useful application that gives you a graphical interference chart for all of the nearby WiFi access points as shown in Figure 1. It makes diagnosing signal problems much, much easier (see Diagnosing Problems with Streaming Services on Smart TVs). On Android 6.0, this application now requires turning on location services.

Figure 1. A WiFi signal interference graph shown in the WiFi Analyzer Android Application.
A WiFi signal interference graph shown in the WiFi Analyzer Android Application

T-Mobile Visual Voicemail is Broken

T-Mobile’s Visual Voicemail app is broken as of October 19, 2015. It seems like it was broken for several months when Android 5.0 came out too. As of October 23, 2015, it is working again. The fixed app prompted for phone-state permissions, and once granted, it started working. In working through the new Android permissions, I disabled phone state for a number of applications; Visual Voicemail might have worked had I not done this.

If an app is not working, it may make sense to revisit the permissions that you have revoked from the app.

MagicJack VOIP App was Temporarily Broken

The MajicJack VOIP Android app is broken until October 23, 2015. The MajicJack VOIP physical device and everything else worked, just not the Android app. As of October 23, 2015, everything works.

Battery Life is Much Better in Android 6.0

Historically, my phone will go from 100% to about 20% in 17 hours with location services turned off. On Android 6.0, I forgot it and left it overnight on a rescue boat at the sailing club; when I picked it up the next day, is was only down to about 70%– after 30 hours. When I plugged it in at the end of the day it was still 20% or so after 41 hours. The battery life improvement claims appear to be very real.

General Permissions Changes in Android 6.0

The big change in Android 6.0 is the addition of user overrides for application permission requests. To change permissions for your installed applications, go to Settings->Apps. You can change the permissions for a single app by selecting the app, as shown in the permissions for the Calendar app in Figure 2.

Figure 2. Setting the permissions for a single application in Android 6.0.
Turning off permissions to phone ID and caller status

This is a useful interface, but most users will want to go to Settings->Apps->App Permissions where you can look at all apps that have requested a particular permission as shown in Figure 3. Contacts, Phone and Location are permissions that are frequently abused; as you can see, I have revoked permissions for a number of apps that should not need this information to work. I may have to go back and add some permissions, but I do not plan to do that unless the app breaks and I can’t find a replacement.

Figure 3. Android 6.0 gives and overview of the apps that have selected each permission in Settings->Apps->App Permissions.
Android 6.0 gives and overview of the apps that have selected each permission in SettingsApps->App Permissions" />

Read Phone State and Identity

This permission is very commonly used in Android–40 apps on my phone requested it. It allows the app to get your phone number and the numbers of anyone that you are talking to. It was widely used and abused for targeted ads. In Android 6.0, you can now turn off the permission as shown in Figure 3. Getting to this screen is not trivial, as you must go to Settings->Apps->Settings->App Permissions. I may have to turn some of the permissions back on (GoPass for Dallas Area Rapid Transit may have to get it back) but most of these applications do not need this permission.

Figure 3. Turning off permissions to phone ID and caller status in Android 6.0.
Turning off permissions to phone ID and caller status in Android 6.0

Shopper Tracking in Android 6.0

Shopper tracking technology like that described in the Wall Street Journal Article Tracking Technology Sheds Light on Shopper Habits and in the IT World article Attention Shoppers: Retailers can now track you accross the mall is probably still possible though the WiFi mac address, although the Android 6.0 APIs section on Access to Hardware Identifier indicates that in some circumstances the MAC address will be randomized, making some forms of this tracking more difficult. Requiring location services for WiFi scanning may make it easier to avoid tracking by just disabling Location Services instead of having to enable/disable Wi-Fi time you leave home.