![]() ![]() Forcibly blocking location access to apps that currently rely on those APIs to scan for Bluetooth connections would break a lot of apps, and not forcibly blocking it makes it easy for app developers to just continue requesting those permissions even though they no longer need them. The hard part about locking down permissions after the fact like this is that it requires app developers to play ball. , which suggests declaring maxSdkVersion="31" for the ACCESS_FINE_LOCATION permission, since it isn't required for Nearby Connections in Android versions newer than that. This is not entirely true anymore as of Android 12 (API level 32). > For the application to work, you must give the Android application permissions that let it obtain location information otherwise it won’t work: For Bluetooth scanning, Android requires this permission The primary issue is that all this data is collected, sent to multiple 3rd parties (AMap being one of them) and none of this was disclosed to consumers when they download the applications. I doubt many devs are aware of this - It took me countless hours to figure the AMap side of things due to obfuscation techniques in the AMAp code. This impacts user experience - just check all the complaints on the 1.75k reviews on the Play store. Literally apps that use the AMap SDK in this way turns the user's handset into a continuous scanner. That said, none of the AMap behavior is disclosed by the application developer. The cell phone tower data (MNC,MCC,LAC,Cell ID) and Wifi BSSID collection is AMap only. The GPS data is being sent to two different companies - the battery monitor developer and AMap. > Why not mention it's AMap in the tl dr summary? It's a legitimate mapping service and location SDK. Hey OP here - I mostly agree with your points in respect to AMap. It's annoying that Google neglected or still neglects this. GPS doesn't require an additional database lookup from a database which the "spy" may not even have access to, it directly sends latitude, longitude and accuracy. Once I meet other people or walk around some streets, geolocated BLE MAC addresses will be present again, but it still isn't the same as high resolution GPS. I get it that BLE MAC addresses can provide very detailed location information, in my case my thermostats/valves broadcast MAC addresses all the time, so if they are sniffable, it is known that I'm at home, but this is not the case when I'm on my bike or in my car, where maybe there's the address of the bike computer or the car radio, because these are traveling along with me, giving no positional information. I think the issue is, or at least was, that Google assumes that if you are willing to share your location via BLE, which could be guessed by sniffing for BLE MAC addresses, that you're at the same time willing to grant high resolution GPS access. ![]() A battery monitor does not need to know your location. I'd like to think my research / blog posts put pressure on them to start being honest with their customers. The Apple app store also now discloses location data is being sent If they still use the Alibaba AMap SDK - then that's a third party. It also still says data not sent to any third party. I just checked the BM2 app (subject of the blog post series) and they have updated with the similar detail, updated on the 25th of June 2023, although they say the data is encrypted - will need to verify if this is the case with the latest release. It appears the application is by the same developer : ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |