Cwa-app-android: Hide Bluetooth-Name and MAC-Adress to unknown devices

Thank you for your suggestion!

I am afraid this will require the app to have the Bluetooth_Admin system permission. According to the service terms we are not allowed to request those permissions (see 3.c.i).

@jbfirefox Can you say a bit more about the severity of this issue? Do I understand you correctly, that in addition to the Exposure API beacon with changing Mac address, when switching on Bluetooth for the app to work, certain phones also by default send another MAC address that doesn't change?
If that was the case, this indeed would be a bit of a privacy issue that should get attention. If it's not possible to fix within the CWA, it may still be possible to issue a warning and recommend installation of the app you mentioned or a similar one.
I'm curious to hear your thoughts.

All MIUI phones are always discoverable when BT is on. So you can get random pairing requests or get your real MAC and name logged by other BT devices. It isn't save to use CWA with MIUI when you do not activate "invisible mode" through such an third-party-app!

https://forum.xda-developers.com/poco-f1/help/miui-disable-bluetooth-discoverable-t3903419

@jbfirefox If this is true, this is a noteworthy privacy issue that may not have gotten the attention it deserves. Has this been mentioned anywhere in FAQs or Security/Privacy-reviews?

All I can hear is that there's no privacy risk. But in this case. In a way this is similar to the concern that having to switch on location permission allows other apps to start tracking your location. Even if CWA doesn't use it, CWA forces you to enable location and thus allows other apps to piggyback.

It may be worth reporting this to Google on its GAP API repo/feedback-mailing list. Probably not much that can be done other than raise awareness of this issue and publicise workarounds sadly.

@corneliusroemer this only applies to MIUI devices, probably it's something that should be addressed by MIUI neither Google nor CWA can do anything to change that.

@seanlilmateus Sure, can only be fixed by MIUI - but it means CWA aggravates privacy issues that MIUI people have by forcing them to enable Bluetooth.

@corneliusroemer
the usage of the app is still voluntary, and voluntary means after weighing up the positive and negative effects:
This App doesn't aggravate anything, the usage of app, show the insecurity of the system. By the way if I remember correctly there is an CVE-2020-0022 for that.

IMHO there might be 3 options:

1. inform users that they are using an insecure system, but there could be legal consequences (_"Aufklärung"_, but I can tell you that there are more Android devices on the markt with such limitations, than the FAQ could cover).
2. Block the usage of the App on MIUI devices, then we should also block the usage on certain devices that don't have specific Android security Patch level that include Bluetooth security fixes ?
3. Leave as it is, because the responsible citizens decided to use a system with such limitation / security problems.

PS: I know that this discussion doesn't belong here, sorry for that (Pandora's box)