Two privacy issues with broadcasts in Android OS are expected to be fixed in Android Q / 10 which will be released in early September of 2019. You can see the details in Google’s security bulletin available here. Some of these fixes were not available for earlier version of Android.
We originally discovered these in the Spring of 2018 and they were disclosed via a talk at BSides DE late last year. Details are available as follows:
- Blog Post: Sensitive Data Exposure via RSSI Broadcasts in Android OS [CVE-2018-9581]
- Blog Post: Sensitive Data Exposure via WiFi Broadcasts in Android OS [CVE-2018-9489]
- Presentation: “A Tale of Three Brothers: Three Android Privacy Bugs” (BSides DE 2018) [(CVE-2018-9489 / CVE-2018-9581 / CVE-2018-15835)]