All Wi-Fi clients must specify the SSID in probes IF they hope to join a "hidden" (a.k.a. "closed", non-broadcast SSID) network.
It's possible that many clients have security optimizations where they make a note of whether any of the remembered/preferred networks were hidden networks, and never bother doing directed (SSID specified) probes if no network they care to try to rejoin was ever known to be a hidden network.
Also, hidden networks usually still have to respond to broadcast (no SSID specified) probe requests, they just respond without the SSID Information Element (IE) or with a zero-length SSID IE, or an SSID IE full of null (0x00) bytes. So it's possible that many clients don't bother doing directed probes unless their broadcast probes show that a hidden network is in range.
So, to REALLY see if your clients could leak an SSID with directed probes even when your network isn't around, follow steps like these:
- Configure an AP to do a hidden network with a new SSID.
- Join that network from the clients under test, and tell them to remember that network (add it to the preferred networks list).
- Turn off your clients for now.
- Turn off that AP but bring up another AP with a different SSID, also in hidden network mode.
- Start up your sniffer and then start up your clients. See if they do directed probes revealing your Step 1 AP's SSID, because they knew it was a hidden network, and they see a hidden network in range.
I suspect Android does it, since i've seen
ap_scan=2
in a android-generatedwpa_supplicant.conf
file. Need to be confirmed though. – BatchyX – 2014-04-06T16:13:42.420