At Malloc we are building a mobile app, called Malloc Privacy and Security VPN (previously Antistalker), to monitor and prevent anyone from recording or transmitting your data from your device without you knowing.
One of the features of Malloc Privacy and Security VPN is a Permission Manager that highlights apps that hold camera, microphone and the recently launched the “Nearby devices permission” for Android 12 devices. We have identified that many popular apps such as Facebook and Reddit currently use that permission and is granted by default.
The “Nearby devices permission” was launched by Google as a privacy improvement, specifically targeting companion apps when setting up watches and headphones. Before Android 12, the ability to scan for nearby Bluetooth or Wi-Fi devices was tied to Android’s broader “location” permission. Android 12, introduced this permission for apps that only want to scan nearby Bluetooth devices and don’t necessarily want to use the location. This is a move from Google towards respecting users’ privacy, since it might result into fewer apps requesting access to your location, when all they need is Bluetooth to work.
We need however to be conscious, since there is a hidden privacy thread. Even if you do not provide access to your location, an app may infer your location by exploiting the location of bluetooth-enabled “nearby devices”. To give a simple example, if you haven’t shared your location with Facebook, but you are sitting next to a friend that has, Facebook can identify your location through bluetooth and the “nearby devices” access. You can check and restrict apps from using this permission from the Permission manger.
Your connection to Cell towers, wifi-networks and your proximity to bluetooth-enabled devices can reveal a very accurate estimation of your location. When combined with accelerometer and other movement data from your device then this estimation can be highly improved.
It’s about time we call for accountability — tech companies shall inform us when estimations are made about us, provide us with clear explanations about them and be fully transparent about how our data are being collected and used.
Relevant tags:
Published on Medium
