No need to ask the Android: bluetooth-low-energy scanning without the location permission

ABSTRACTBluetooth-Low-Energy (BLE) scanning can be misused by applications to determine a device location. In order to prevent unconsented location tracking by applications, Android conditions the use of some BLE functions to the prior obtention of the location permission and the activation of the location setting. In this paper, we detail a vulnerability that allows applications to perform BLE scans without the location permission. We present another flaw allowing to bypass the active location requirement. Together those flaws allow an application to fully circumvent the location restrictions applying to BLE scanning. The presented vulnerability affects devices running Android 6 up to 11 and could be misused by application developers to track the location of users. This vulnerability has been disclosed to Google and assigned the CVE-2021-0328.