Unbeknownst to most users (myself included until recently), Android apps on current and previous versions of the OS get unrestricted access to your network activity. There's no permission for you to accidentally say okay to, it's just allowed for all. This means that any app can detect when another app is connecting to an external server, and while the content is not visible, even just the source of the connection could be used for a nefarious purpose.
With a renewed focus on privacy and data collection, not least in the wake of the recent Facebook scandals, this type of potential security flaw clearly needs to be addressed. Thankfully, the next version of Android is going to do exactly that. According to a new AOSP commit, apps targeting API 28 (Android P) will no longer be able to monitor network activity, closing the door on tracking that is currently possible through this method.
As XDA Developers explains, access to proc/net is going to be tightened up so that only designated VPN apps will be allowed to read TCP and UDP files (and in turn interpret network activity). Unfortunately, as this only affects apps targeting API 28, most will continue to enjoy unrestricted access until 2019 when they are forced to target that level.
It's also unclear if this change will make its way to past Android versions, so at least to begin with, newer devices using updated apps will be more secure but the problem will still exist for past models. It's also not clear how this will affect specific network monitoring apps such as Network Monitor Mini, but there may be an official workaround to allow those apps to keep functioning.
We may well find out more about this at Google I/O this week when the second developer preview for Android P is introduced. And while it may not be a change that most people will ever have any reason to think about, it will certainly be comforting for the more privacy-conscious users out there.
- XDA Developers