I have a mobile phone running Android 6.0.1, even when the phone is locked, I still can access various settings from the quick settings menu, one of those is the wifi setting. However, when I enable it, I need to unlock my phone. What threat(s) are they trying to prevent by forcing me to do that?
I know that by enabling wifi, my phone will try to connect to all APs with the same name as the one I have saved, and if there is no password, it will connect. But what is the worst that could happen?
When you enable WiFi your phone will broadcast all it's known SSIDs it has been connecting to. So let's assume one of the SSIDs you've been connected to is called "StackExchange" without an password and your running some highly sentensive application with are sharing information over none encrypted connection and you have automatically connnect ticked (which is done by default).
I would able to use AirCrack-NG to spoof an SSID "StackExchange" which would make your phone connect to my AP then I would able to sniff all your packets and then it would open your phone to attack.
The second part of "if there is no password, it will connect" may be the problem. You may have services on that network claiming to be someone else. Being that a lot of apps do regular checks for recent data you might be hacked by trying to access your data through those false services.
Also, this might be an old restriction habit o UNIX platforms: hardware settings can only be done by elevated users. The Android lock screen might run with downgraded privileged user.
