There’s one security flaw in Android that has been there for a while now, but almost no one is aware of this – that apps have the ability to monitor the network activity of other apps without even asking for special permissions. To be clear, apps cannot read or detect the content of the network traffic, but they can determine what apps cause incoming or outgoing connections, and they know what servers these apps connect to. Android P is finally putting an end to this.
A recent commit to the Android Open Source Project aims to “start the process of locking down proc/net.” There is currently no restriction on apps accessing /proc/net, and as such they can read from this data to parse your device’s network activity. This is something that has to be closed down.
But thanks to changes in Android P, access to some of this information will be restricted. In particular, only designated VPN apps can get access, and it will only be to some of these files. For compatibility purposes, it looks like that apps which have API levels lower than API 28 will still have access for now. It might take until 2019 – when apps will be required to be at API level 28 – for Android to better control unrestricted access.
We are hoping to see this change come soon to a version of Android P Developer Preview, so developers can start testing out how this will affect their apps. It’s a very small change, but it will have great implications for the overall security of Android. We can all also hope that this fix will be brought to earlier Android versions as well, maybe through a monthly security patch update.