I have been thinking about what security & privacy risks are associated with allowing 3rd party apps to access the WiFi manager API. One property this API exposes is the MAC address of the wifi adapter. At first glance, exposing the MAC address would seem to be a very significant privacy risk because a) its guaranteed to be globally unique, and b) the user has no easy way to change or cycle this identifier. Currently the API is certified only (only Mozilla and partner apps can get access to this API) but there is a desire to open this up for various legitimate use cases (improved geolocation accuracy via wifi scanning for example).
How important is it to never allow disclosure of the MAC address to 3rd party apps ? Am I overlooking other factors which mean the work in restricting access to the MAC is not such a valuable control ? To me it's similar to [1] which currently is an Implicit Privileged permission [2]. However in that case you can always eat your SIM card if you worried that They are on to you. -Paul [1] https://developer.mozilla.org/en-US/docs/Web/API/MozMobileNetworkInfo [2] This means only apps reviewed by Mozilla Marketplace can get this permission, but users are not prompted before an app can read this
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dev-privacy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-privacy
