How to Detect a Weak Wi-Fi: Guide to In-App Network Security Checks

In today's interconnected world, the security of user data is paramount. For mobile applications, this responsibility extends beyond the app itself to the environment it operates in—including the Wi-Fi network the device is connected to. A connection to an access point (AP) employing outdated or compromised security protocols can expose users to significant risks, such as data interception and man-in-the-middle attacks.

This article details a pragmatic, "one-size-fits-all" approach for Android developers to identify weakly secured Wi-Fi connections. We aim to balance robust detection with a user experience that avoids unnecessary alarm for networks that, while perhaps not bleeding-edge, are still adequately secure for general use.

The "One-Size-Fits-All" Philosophy: Defining "Weak"

The core challenge lies in creating a consistent definition of a "weak" Wi-Fi network that can be applied across different Android versions, which offer varying APIs for network inspection. Our "one-size-fits-all" rule focuses on flagging protocols that are unambiguously compromised or offer no real protection.

The Blacklist: Clearly Insecure Protocols

To implement this, we establish a blacklist of security configurations that should trigger a warning:

1. Open (Traditional, Unencrypted): Networks with no password and no encryption. On Android S (API 31) and above, this corresponds to WifiInfo.SECURITY_TYPE_OPEN. For older versions, this is inferred by the absence of WPA/WPA2/WPA3/OWE markers in the AP's advertised capabilities.

2. WEP (Wired Equivalent Privacy): A notoriously broken and deprecated protocol. Represented by WifiInfo.SECURITY_TYPE_WEP on Android S+ and the presence of "WEP" in the capabilities string on older versions.

3. WPA1 (Wi-Fi Protected Access - PSK/TKIP/CCMP): While an improvement over WEP, WPA1 has known vulnerabilities (especially TKIP) and is significantly weaker than WPA2. This is primarily identified in the legacy path (pre-Android S) by finding "WPA" in the capabilities string without stronger WPA2 or WPA3 indicators. The modern WifiInfo.SECURITY_TYPE_PSK often groups WPA1 and WPA2, making specific WPA1 flagging on S+ tricky without more granular (and often unavailable) system information. For a "not too alarming" approach, if SECURITY_TYPE_PSK is encountered, we generally don't flag it as weak to avoid flagging robust WPA2-PSK networks.

4. Unknown Security: If the Android system cannot determine the security type of the connected network (WifiInfo.SECURITY_TYPE_UNKNOWN on S+), it's prudent to consider this a potential risk. In the legacy path, this is approximated by encountering very minimal or unparseable capability strings that don't indicate any known security protocol.

What We Don't Blacklist (To Avoid Over-Alarming):

• OWE (Opportunistic Wireless Encryption / Wi-Fi Enhanced Open): While it doesn't use a pre-shared key, OWE does provide encryption for open networks, significantly improving privacy over traditional open Wi-Fi. Flagging this could cause undue concern. Identified as WifiInfo.SECURITY_TYPE_OWE on S+ and by an "OWE" marker (or absence of "OPEN" markers if "OWE" is present) in legacy capabilities.

• WPA2-PSK (with AES/CCMP): The long-standing secure standard for personal networks. Covered by WifiInfo.SECURITY_TYPE_PSK on S+ and various "WPA2" or "RSN" markers in legacy capabilities.

• WPA3 (SAE/Enterprise): The current leading security standard. Represented by WifiInfo.SECURITY_TYPE_SAE (and enterprise variants) on S+ and "WPA3" or "SAE" markers in legacy capabilities.

Practical Implementation for Developers

A robust check involves these key steps:

1. Permissions: Ensure your app has ACCESS_WIFI_STATE and ACCESS_FINE_LOCATION permissions. Location is crucial for accessing Wi-Fi scan results (pre-S) and detailed connection information (SSID on Q+).

2. Connectivity Check: First, verify the device is actively connected to a Wi-Fi network. Use ConnectivityManager to check for an active network and ensure its transport type is NetworkCapabilities.TRANSPORT_WIFI. Also, verify WifiInfo provides valid details (e.g., networkId != -1, non-null BSSID/SSID). If not connected to Wi-Fi, the security check is moot.

3. API Version Branching (SDK_INT):

• Android S (API 31) and above: Utilize WifiInfo.currentSecurityType. Compare this integer value against our defined blacklist constants (SECURITY_TYPE_OPEN, SECURITY_TYPE_WEP, SECURITY_TYPE_UNKNOWN).

• Pre-Android S: This path is more heuristic.

  • Retrieve the WifiInfo for the connected network to get its SSID.

  • Perform a Wi-Fi scan using WifiManager.scanResults.

  • Find the ScanResult that matches the connected SSID.

  • Parse the capabilities string of this ScanResult. Look for the presence of "WEP", or the absence of "WPA"/"RSN"/"OWE" (indicating traditional Open), or the presence of "WPA" without stronger WPA2/WPA3 indicators (indicating WPA1).

1. Incident Reporting/User Notification: If a blacklisted protocol is detected, inform the user or log the incident appropriately.

Conclusion

By implementing such a Wi-Fi security check, developers can empower their applications to identify potentially hazardous network environments. This "one-size-fits-all" approach, focusing on unambiguously weak protocols, provides a valuable layer of situational awareness for the user without causing unnecessary alarm. It’s a pragmatic step towards fostering a more secure mobile experience, acknowledging the diverse capabilities of the Android ecosystem. Remember that while this check identifies AP capabilities, the actual security also depends on factors like strong passwords and AP firmware integrity, which are beyond an app's direct control but contribute to the overall risk assessment this feature helps initiate.