SlideShare uma empresa Scribd logo

Geo Bugs May Leak User Location

Synack
Synack

Presentation from Colby Moore and Patrick Wardle at AppSec California 2015.

CelularSoftwareTecnologia
1 de 56
Baixar para ler offline
@colbymoore
“sources a global contingent of vetted security experts worldwide and pays them on an incentivized basis to discover security vulnerabilities in our customers’ web apps, mobile apps, and infrastructure endpoints.” ABOUT always looking for more experts! @colbymoore /VRL  /SYNACK vetted researchers internal R&D backed by google
geolocation bugs, hacks, & fixes AN OUTLINE all things geo case study fixes/conclusions } } code bugs lots of bugs tracking users
ALL THINGS GEO overview, code, & bugs
incorporating geolocation is the norm GEOLOCATION IN MOBILE APPS 74% of smart phone users get info based on their phone’s current location Use Geo No Geo social recommendations tracking health & fitness commerce navigation “84%  inquire  about  location”
HOW IS GEOLOCATION ACCOMPLISHED (IOS)? create delegate start “The CLLocationManager class is the central point for configuring the delivery of location-related events to your app.” apple.com wait/handle using the Core Location Manager
‘doing it’ in Swift GEOLOCATION (IOS) //required  framework       import  CoreLocation   //conform  to  CLLocationManagerDelegate   class  ViewController:  UIViewController,  CLLocationManagerDelegate  {        //[1]  CREATE  (instance  of)  location  manager        let  locationManager  =  CLLocationManager()    //app  delegate  function        override  func  viewDidLoad()  {            //[2]  set  DELEGATE            self.locationManager.delegate  =  self;                              //request  auth            self.locationManager.requestWhenInUseAuthorization()                            //[3]  START  collecting  location          self.locationManager.startUpdatingLocation()
      }        //[4]  WAIT/HANDLE,  delegate  (callback)  function        func  locationManager(manager:  CLLocationManager!,  didUpdateLocations  locations:  [AnyObject]!)  {
      
            //do  whateverz
            //  -­‐>user’s  location  is  in  manager.location.coordinate.(longitude/latitude)        }   }  
os-level alerts GEOLOCATION (I)OS LEVEL PROTECTIONS NSLocationWhenInUseUsageDescription: //request  auth  for  foreground   self.locationManager.requestWhenInUseAuthorization() App’s  Info.plist iOS alert code for auth request “allow the app to get location updates only when the app is in the foreground”
os-level alerts GEOLOCATION (I)OS LEVEL PROTECTIONS //request  auth  for  foreground   self.locationManager.requestAlwaysAuthorization() App’s  Info.plist iOS alert code for auth request “allows the app to receive location updates both when the app is in the foreground and in the background (suspended or terminated)” NSLocationAlwaysUsageDescription:
…bad for users! GEO CAN ‘LEAK’ IF THE APPLICATION IS BUGGY “the government” hackers “spies could be lurking to snatch data revealing the [app] player’s location” -nytimes.com thieves criminals
…so what!? THEY KNOW YOUR LOCATION “investigators said the suspects used social networking sites such as Facebook to identify victims who posted online that they would not be home at a certain time” 
 -thieves robbed homes based on facebook [3] “a [geo]location allows perpetrators the perfect window to commit a burglary, vandalism, or even a home invasion” 
 -criminal use of social media [2] “[geolocation] generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations” 
 -u.s. v. jones [1] 1) http://scholarship.kentlaw.iit.edu/cgi/viewcontent.cgi?article=3332&context=fac_schol
 2) http://www.nw3c.org/docs/whitepapers/criminal-use-of-social-media.pdf
 3) http://www.wmur.com/Police-Thieves-Robbed-Homes-Based-On-Facebook-Social-Media-Sites/11861116
can compromise a user’s physical location COMMON CLASSES OF GEO BUGZ insecure network comms insecure local storage location spoofing buggy server-side APIs overly precise location UI errors/validation
may allow passive attackers access to geo INSECURE NETWORK COMMS insecure network
 comms use unencrypted comms allow self-signed certificates forget to pin certificates do not do these things!
find such bugs with a proxy INSECURE NETWORK COMMS https:// https:// http:// proxy (burp) config device config
does the app accept self-signed certificates? INSECURE NETWORK COMMS MOVT  R8,  #(:upper16:(classRef_NSURLRequest  -­‐  0xC254))   ADD    R8,  PC  ;  classRef_NSURLRequest   MOV    R2,  #(selRef_setAllowsAnyHTTPSCertificate_forHost_  -­‐  0xC2A4)   ADD    R2,  PC   LDR    R4,  [R2]       ;"setAllowsAnyHTTPSCertificate:forHost:"         LDR    R5,  [R8]       ;_OBJC_CLASS_$_NSURLRequest         MOV    R0,  R5         ;_OBJC_CLASS_$_NSURLRequest               MOV    R1,  R4         ;"setAllowsAnyHTTPSCertificate:forHost:"               MOVS  R2,  #1         ;’YES’               MOV    R3,  R8         ;  the  host               BLX    _objc_msgSend   class method allowing a self-signed certificate (iOS) setAllowsAnyHTTPSCertificate:forHost: invoke method
did the app forget to pin certificates? INSECURE NETWORK COMMS non-jailbroken device + hacker’s cert can  MitM  the  connection “SSL pinning is a extra layer of security that ensures a client will only communicate with a well-defined set of servers”
stolen or lost phones may compromise user’s geo INSECURE LOCAL STORAGE insecure local storage store in unencrypted files again, bad! } plists logfilesdatabases
find such bugs with filemon & fileDP INSECURE LOCAL STORAGE  //dump  file  attributes     NSLog(@"attrs: %@", [[[NSFileManager defaultManager] attributesOfItemAtPath:path error:nil] objectForKey:NSFileProtectionKey]); display file’s protection attributes (iOS) #  ./filemon   Wheres_Waldo  Created    /Application  Support/analytics/location.db-­‐journal   DEV:  1,3  INODE:  121171  MODE:  81a4  UID:  501  GID:  501  Arg64:  300649589561   Wheres_Waldo  Renamed  /Preferences/lastKnownLocation.plist.l0mitdo   DEV:  1,3  INODE:  121172  MODE:  8180  UID:  501  GID:  501 monitoring app’s file I/O
on iOS, always check the user’s default plist INSECURE LOCAL STORAGE MOV  R1,  #(selRef_standardUserDefaults-­‐0x5917A)   ADD  R1,  PC   LDR  R1,  [R1]          ;"standardUserDefaults"   MOV  R0,  #(classRef_NSUserDefaults-­‐0x591A2)   ADD  R0,  PC     LDR  R0,  [R0]          ;_OBJC_CLASS_$_NSUserDefaults   BLX  _objc_msgSend  ;[NSUserDefaults  standardUserDefaults]   MOV  R3,  #(cfstr_geoInfo-­‐0x591D6)   ADD  R3,  PC                ;"geoInfo"   LDR  R2,  [SP,#0xB4+usersGeo]     ;geo  data   MOV  R1,  #(selRef_setObject_forKey_-­‐0x591D6)   ADD  R1,  PC   LDR  R1,  [R1]          ;"setObject:forKey:"   BLX  _objc_msgSend  ;[userDefaults  setObject:  forKey:] app’s  /Library/Preferences/ with NSFileProtectionNone App’s IDA disassembly App’s ‘User Defaults’ plist <dict>      <key>geoInfo</key>      <dict>
        <key>homeLong</key>
        <real>73.242539</real>
        <key>homeLat</key>
        <real>34.169308</real>          ...
    </dict>    </dict>
don’t trust geolocation from the client LOCATION SPOOFING location spoofing be careful if you do this! explicitly trust client-side geo allow client’s (device’s) location to rapidly change } user auth access to ‘relative’ data
find such bugs by manipulating reported geo LOCATION SPOOFING edit to spoof geo! editing network dataz cycript (runtime manipulations) location spoofing apps (from Cydia) or
do apps really need precision to 12 decimal places?! OVER PRECISE LOCATION over precise location treat with care! collect geolocation as precise as possible long: 73.242539906632… ~1km ~1m ~1mm don’t specify a ‘desired accuracy’ (iOS defaults to highest)
sniffing (network or file I/O) or look at disassembly OVER PRECISE LOCATION //create  instance  of  location  manager   let  locationManager  =  CLLocationManager()   //set  ‘desired  accuracy’   locationManager.desiredAccuracy  =  kCLLocationAccuracyBest;   MOV        R4,  #(_kCLLocationAccuracyBest_ptr  -­‐  0xACD8)     ADD        R4,  PC,  R4                                                                  ;  _kCLLocationAccuracyBest_ptr   LDR        R4,  [R4]                                                                      ;  _kCLLocationAccuracyBest   VLDR      D16,  [R4]   VMOV      R2,  R3,  D16                                                                ;  R2  contains  _kCLLocationAccuracyBest   LDR        R1,  [SP,#0xF8+selRef_setDesiredAccuracy]   LDR        R1,  [R1]                                                                    ;  R1  contains  selRef_setDesiredAccuracy               ;R0  has  locationManager  object       LDR        R9,  [SP,#0xF8+objc_msgSend]                                  ;  __imp__objc_msgSend   ;  objc_msgSend(locationManager,  “setDesiredAccuracy”,  _kCLLocationAccuracyBest);   BLX        R9                                       IDA disassembly setting ‘desired accuracy'
unprotected APIs may provide geo INSECURE SERVER-SIDE APIS insecure server-side APIs assume undocumented APIs are hidden allow unlimited (un-throttled) queries provide unrestricted geo all bad assumptions/ideas! allow unauthorized queries
sniffing network traffic often reveals undocumented API INSECURE SERVER-SIDE APIS holy $#!@, did we just find Carmen Sandiego!? ;) intercepted outgoing request modified request changed user
what lurks below? USER-INTERFACE user interface assume the UI is ‘secure’ implement client-side protection (in the UI) all bad assumptions/ideas! ignore user settings
don’t enforce anything at the UI level USER INTERFACE OR } ui settings ignored! ui level logic 
 (e.g. precision rounding) client location still sent to server precise geolocation (of other users) sent to device
buggy apps that compromised a user’s physical location EXAMPLE OF GEO BUGS starbucks whisper angry birds grindr tinder case-study
overpriced coffee, plus a shot of geo tracking STARBUCKS [CVE-2014-0647] Insecure Data Storage of User Data in Starbucks v2.6.1 iOS mobile application (Daniel Wood) /Library/Caches/com.crashlytics.data/ com.starbucks.mystarbucks/session.clslog “[unencrypted] geolocation data included alongside username and password data, meaning that hackers can potentially see where a user most often traveled if they were to access the phone”
“the safest place on the internet” - NOPE WHISPER users monitored/tracked (even if opt’d out) geo stored ‘indefinitely’ shared with the DOD “”Revealed: how Whisper app tracks ‘anonymous’ users” -the guardian
precise geo of nearby users, allowed tracking TINDER tinder user trilateration 
 (blog.includesecurity.com) main_photo_url = photos[0]['url'] matches ‘tinderizer’ facebook profiles
…‘they’ are watching you play ANGRY BIRDS “the ABC have been developing capabilities to take advantage of "leaky" smartphone apps, such as the wildly popular Angry Birds game, that transmit users' private information [geo]” 
 -the guardian
Case Study - Grindr many, many #$&@ up’s
(all-male) social-dating app WHAT’S GRINDR? “the largest and most popular all-male location-based social network out there. more than 5 million guys in 192 countries around the world -- and approximately 10,000 more new users downloading the app every day” 
 -grindr.com all about geo extremely popular targeted group
Those who cannot learn from history are doomed to repeat it GRINDR’S PREVIOUS ISSUES 2012: “Love online: 100,000 Grindr users exposed in hack attack” 
 -sydney morning herald 2013: Grindr Application Security Evaluation Report 
 -university of amsterdam 2014: “Grindr fails to protect user's”
 -anonymous (pastebin) 2014: Grindr Application Analysis -synack
“0 Feet Away” GRINDR (CASE STUDY) lack of SSL pinning overly precise geo location spoofing overly permissible APIs broken ui level logic sharing geo
 client side precision yes, so much wrong!
the app does not pin its certs BUG 0X1: LACK OF SSL PINNING login info user geolocation
the app reported (overly) precise relative distances BUG 0X2: REPORTING OF PRECISE GEO primus.grindr.com
 POST /2.0/nearbyProfiles {"status":  1,  "distance":  3.861290174942267,   "relationshipStatus":  1,  "displayName":  "Waldo",  
 "isFavorite":  false,  "showDistance":  true,  
 "height":  187.960006713867,"profileId":  12345678,  …}   response 3.861290174942267 
 km away
even newer versions may reveal precise location BUG 0X2: REPORTING OF PRECISE GEO //create  instance  of  location  manager   let  locationManager  =  CLLocationManager()   //set  ‘desired  accuracy’   locationManager.desiredAccuracy  =                                                  kCLLocationAccuracyNearestTenMeters;   10 meter location reporting office
can spoof your location…as much as you want BUG 0X3: LOCATION SPOOFING geolocation coordinates for locating ‘nearby’ users change these at will! trilateration?
unauthenticated, unlimited access to APIs BUG 0X4: WIDE-OPEN APIS { "filter":{ "page":1, "quantity":50 }, "lat":<any lat>, "lon":<any lon> } primus.grindr.com
 POST /2.0/nearbyProfiles name height weight relative distance request for users’ info user info
what you see/say isn’t what you get BUG 0X5: ‘BROKEN’ UI LEVEL LOGIC OR } if !showDistance { hide distance }
 + settings + settings UI level logic srsly? wtf!
our goal was to help Grindr under the issues DISCLAIMER during vulnerability research and disclosure no individual users were intentionally or unintentionally identified all data logged has been irrecoverably destroyed. The purpose of this research was not to identify Grindr users but to help protect those that wish to remain private.
combining bugs can lead “total tracking” IT'S MORPHIN' TIME wide-open APIs precise relative geo location spoofing + + = tracking of any user anywhere!
query the APIs to get info about all ‘nearby’ users COLLECTION DATAZ $  python  collectInfo.py  -­‐o  output.json    [+]  sent  request  to:  primus.grindr.com
          POST  /2.0/nearbyProfiles      [+]  saving  response  (50  users) $  less  output.json    "profiles":  [{                                  "profileId":  314159265,                                  "displayName":  "Waldo",                                  "aboutMe":  "Where  am  I?",                                  "distance":  0.4980983433684       },       ... request response
determine absolute location from relative distances TRILATERATION “trilateration is the process of determining absolute locations by measurement of (relative) distances, using the geometry of circles, spheres or triangles.” $  python  findUser.py  -­‐i  314159265   [+]  making  query  1,  2,  3          got  three  relative  distances
 [+]  converting  geodetic  lat/long  to  ECEF
 [+]  transforming      circle  1  at  origin,  circle  2  on  x  axis,  etc   [+]  generating  array  with  ECEF  x,y,z     [+]  converting  ECEF  back  to  lat/long
 [+]  user  is  at:  73.242539906632,  34.169308121551 trilateration script
so lets map some users USER LOCATION San Francisco Sochi (olympics) stores capitols
so lets track some willing users USER TRACKING your life; revealed
it’d be trivial to reveal anonymous user’s identities IDENTIFYING USERS picture geo tracking from profile name home work } revealed!
…didn’t care :/ REPORTING TO GRINDR early 2014 - initial disclosure to vendor followups included conference calls, technical write-ups, & POCs didn’t fix anything “we do not view this as a security flaw”
 -grindr.com/blog/grindr-security
…sadly it came to this to get (some) fixes CAT GOT OUT OF THE BAG “Egyptian officials have resorted to using location- based dating app Grindr to arrest gay men" “Grindr fails to protect their user’s” - anonymous (pastebin) people’s lives affected :(
fixes & current issues GRINDR RESPONSE } user’s settings respected geofencing (in Egypt, etc.) geolocation kCLLocationAccuracyNearestTenMeters } no SSL pinning open APIs spoofing still can track most users! no rate limiting
Fixes/Conclusions for users and devs alike
for users and app developers alike BEST PRACTICES assume you can be tracked disallow tracking at the OS level user developer secure comms secure local storage protected APIs non-precise geo correct UI logic } where’s waldo?!
QUESTIONS & ANSWERS colby@synack.com @colbymoore syn.ac/appSecCaGeo …feel free to contact us any time!
credits - thezooom.com - deviantart.com (FreshFarhan) - nicolevanputten.com - http://agentfox.deviantart.com/art/chuck-Norris-hunting-waldo-42939561 - http://fc09.deviantart.net/fs70/f/2010/154/3/9/Waldo_by_MattMelvin.jpg - http://th05.deviantart.net/fs71/PRE/i/2013/250/c/c/where_s_waldo_by_katanauser98-d6lgepy.png 
 - iconmonstr.com - flaticon.com images

Recomendados

Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 
Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper ExposedSynack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 

Recomendados

Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 
Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper ExposedSynack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!Synack
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!Synack
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS XSynack
 
There's Waldo by Patrick Wardle & Colby Moore
There's Waldo by Patrick Wardle & Colby MooreThere's Waldo by Patrick Wardle & Colby Moore
There's Waldo by Patrick Wardle & Colby MooreShakacon
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceIvan Einstein
 
Arduino、Web 到 IoT
Arduino、Web 到 IoTArduino、Web 到 IoT
Arduino、Web 到 IoTJustin Lin
 
I am the 100% [*] by Chris Evans & Natalie Silvanovich
I am the 100% [*] by Chris Evans & Natalie SilvanovichI am the 100% [*] by Chris Evans & Natalie Silvanovich
I am the 100% [*] by Chris Evans & Natalie SilvanovichShakacon
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianLiang Chen
 
[ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? [ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? Masamitsu Maehara
 
Angular js security
Angular js securityAngular js security
Angular js securityJose Manuel Ortega Candel
 
The Mouse is mightier than the sword
The Mouse is mightier than the swordThe Mouse is mightier than the sword
The Mouse is mightier than the swordPriyanka Aash
 
Getting Started with iBeacons (Designers of Things 2014)
Getting Started with iBeacons (Designers of Things 2014)Getting Started with iBeacons (Designers of Things 2014)
Getting Started with iBeacons (Designers of Things 2014)Daniel Luxemburg
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABIMikhail Sosonkin
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningSynack
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a HouseSynack
 

Mais conteúdo relacionado

Mais procurados

[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!Synack
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!Synack
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS XSynack
 
There's Waldo by Patrick Wardle & Colby Moore
There's Waldo by Patrick Wardle & Colby MooreThere's Waldo by Patrick Wardle & Colby Moore
There's Waldo by Patrick Wardle & Colby MooreShakacon
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceIvan Einstein
 
Arduino、Web 到 IoT
Arduino、Web 到 IoTArduino、Web 到 IoT
Arduino、Web 到 IoTJustin Lin
 
I am the 100% [*] by Chris Evans & Natalie Silvanovich
I am the 100% [*] by Chris Evans & Natalie SilvanovichI am the 100% [*] by Chris Evans & Natalie Silvanovich
I am the 100% [*] by Chris Evans & Natalie SilvanovichShakacon
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianLiang Chen
 
[ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? [ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? Masamitsu Maehara
 
The Mouse is mightier than the sword
The Mouse is mightier than the swordThe Mouse is mightier than the sword
The Mouse is mightier than the swordPriyanka Aash
 
Getting Started with iBeacons (Designers of Things 2014)
Getting Started with iBeacons (Designers of Things 2014)Getting Started with iBeacons (Designers of Things 2014)
Getting Started with iBeacons (Designers of Things 2014)Daniel Luxemburg
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABIMikhail Sosonkin
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
 

Mais procurados (20)

[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS X
 
There's Waldo by Patrick Wardle & Colby Moore
There's Waldo by Patrick Wardle & Colby MooreThere's Waldo by Patrick Wardle & Colby Moore
There's Waldo by Patrick Wardle & Colby Moore
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware Persistence
 
Arduino、Web 到 IoT
Arduino、Web 到 IoTArduino、Web 到 IoT
Arduino、Web 到 IoT
 
I am the 100% [*] by Chris Evans & Natalie Silvanovich
I am the 100% [*] by Chris Evans & Natalie SilvanovichI am the 100% [*] by Chris Evans & Natalie Silvanovich
I am the 100% [*] by Chris Evans & Natalie Silvanovich
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
 
[ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? [ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world?
 
Angular js security
Angular js securityAngular js security
Angular js security
 
The Mouse is mightier than the sword
The Mouse is mightier than the swordThe Mouse is mightier than the sword
The Mouse is mightier than the sword
 
Getting Started with iBeacons (Designers of Things 2014)
Getting Started with iBeacons (Designers of Things 2014)Getting Started with iBeacons (Designers of Things 2014)
Getting Started with iBeacons (Designers of Things 2014)
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABI
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
 

Destaque

Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningSynack
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a HouseSynack
 
Home Automation Benchmarking Report
Home Automation Benchmarking ReportHome Automation Benchmarking Report
Home Automation Benchmarking ReportSynack
 
Electromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and YouElectromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and YouSynack
 
Open Government and Geolocation Mindy Nichamin
Open Government and Geolocation Mindy NichaminOpen Government and Geolocation Mindy Nichamin
Open Government and Geolocation Mindy NichaminYTH
 
Location-based social apps for marketers
Location-based social apps for marketersLocation-based social apps for marketers
Location-based social apps for marketersalyssabc
 
Geolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile AppsGeolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile AppsAaron Parecki
 
Location Based Marketing: Geofence, Beacon, Smart Posters, FanWise & Live Video
Location Based Marketing: Geofence, Beacon, Smart Posters, FanWise & Live VideoLocation Based Marketing: Geofence, Beacon, Smart Posters, FanWise & Live Video
Location Based Marketing: Geofence, Beacon, Smart Posters, FanWise & Live VideoStarmark
 
Jesusparablesaboutmoney 12737974976907-phpapp02
Jesusparablesaboutmoney 12737974976907-phpapp02Jesusparablesaboutmoney 12737974976907-phpapp02
Jesusparablesaboutmoney 12737974976907-phpapp02Sonu Jena
 
istilah-istilah jaringan internet dalam komputer
istilah-istilah jaringan internet dalam komputeristilah-istilah jaringan internet dalam komputer
istilah-istilah jaringan internet dalam komputerAbednego Ringgo
 
Information literacy scaffolds in the 9-12 classroom
Information literacy scaffolds in the 9-12 classroomInformation literacy scaffolds in the 9-12 classroom
Information literacy scaffolds in the 9-12 classroomfredandkell
 
Why National Brands Must Adapt to Changing Traveler Behavior
Why National Brands Must Adapt to Changing Traveler Behavior Why National Brands Must Adapt to Changing Traveler Behavior
Why National Brands Must Adapt to Changing Traveler Behavior Placeable
 
pJapanese director (hayao miyazaki)
pJapanese director (hayao miyazaki)pJapanese director (hayao miyazaki)
pJapanese director (hayao miyazaki)Xiao Yun
 
Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115Xiao Yun
 

Destaque (20)

Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanning
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a House
 
Home Automation Benchmarking Report
Home Automation Benchmarking ReportHome Automation Benchmarking Report
Home Automation Benchmarking Report
 
Electromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and YouElectromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and You
 
Geolocation and Business
Geolocation and BusinessGeolocation and Business
Geolocation and Business
 
Open Government and Geolocation Mindy Nichamin
Open Government and Geolocation Mindy NichaminOpen Government and Geolocation Mindy Nichamin
Open Government and Geolocation Mindy Nichamin
 
Geosocial Networks 4 Business
Geosocial Networks 4 BusinessGeosocial Networks 4 Business
Geosocial Networks 4 Business
 
Location-based social apps for marketers
Location-based social apps for marketersLocation-based social apps for marketers
Location-based social apps for marketers
 
Geolocation, The Next Big Thing
Geolocation, The Next Big ThingGeolocation, The Next Big Thing
Geolocation, The Next Big Thing
 
Geolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile AppsGeolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile Apps
 
Location Based Marketing: Geofence, Beacon, Smart Posters, FanWise & Live Video
Location Based Marketing: Geofence, Beacon, Smart Posters, FanWise & Live VideoLocation Based Marketing: Geofence, Beacon, Smart Posters, FanWise & Live Video
Location Based Marketing: Geofence, Beacon, Smart Posters, FanWise & Live Video
 
Jesusparablesaboutmoney 12737974976907-phpapp02
Jesusparablesaboutmoney 12737974976907-phpapp02Jesusparablesaboutmoney 12737974976907-phpapp02
Jesusparablesaboutmoney 12737974976907-phpapp02
 
istilah-istilah jaringan internet dalam komputer
istilah-istilah jaringan internet dalam komputeristilah-istilah jaringan internet dalam komputer
istilah-istilah jaringan internet dalam komputer
 
Osb sips structrual insulated panels
Osb sips structrual insulated panelsOsb sips structrual insulated panels
Osb sips structrual insulated panels
 
Information literacy scaffolds in the 9-12 classroom
Information literacy scaffolds in the 9-12 classroomInformation literacy scaffolds in the 9-12 classroom
Information literacy scaffolds in the 9-12 classroom
 
Why National Brands Must Adapt to Changing Traveler Behavior
Why National Brands Must Adapt to Changing Traveler Behavior Why National Brands Must Adapt to Changing Traveler Behavior
Why National Brands Must Adapt to Changing Traveler Behavior
 
Curriculo atualizado
Curriculo atualizadoCurriculo atualizado
Curriculo atualizado
 
pJapanese director (hayao miyazaki)
pJapanese director (hayao miyazaki)pJapanese director (hayao miyazaki)
pJapanese director (hayao miyazaki)
 
Osb eps osb structural insulated panels
Osb eps osb structural insulated panelsOsb eps osb structural insulated panels
Osb eps osb structural insulated panels
 
Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115
 

Semelhante a Geo Bugs May Leak User Location

Running Django on Docker: a workflow and code
Running Django on Docker: a workflow and codeRunning Django on Docker: a workflow and code
Running Django on Docker: a workflow and codeDanielle Madeley
 
Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W...
Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W... Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W...
Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W...Robert Nyman
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
Introduction to Apache Cordova (Phonegap)
Introduction to Apache Cordova (Phonegap)Introduction to Apache Cordova (Phonegap)
Introduction to Apache Cordova (Phonegap)ejlp12
 
How to use geolocation in react native apps
How to use geolocation in react native appsHow to use geolocation in react native apps
How to use geolocation in react native appsInnovationM
 
LUMIA APP LABS: HERE MAPS AND LOCATION APIS FOR WINDOWS PHONE
LUMIA APP LABS: HERE MAPS AND LOCATION APIS FOR WINDOWS PHONELUMIA APP LABS: HERE MAPS AND LOCATION APIS FOR WINDOWS PHONE
LUMIA APP LABS: HERE MAPS AND LOCATION APIS FOR WINDOWS PHONEMicrosoft Mobile Developer
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
Everything About Bluetooth (淺談藍牙 4.0) - Central 篇
Everything About Bluetooth (淺談藍牙 4.0) - Central 篇Everything About Bluetooth (淺談藍牙 4.0) - Central 篇
Everything About Bluetooth (淺談藍牙 4.0) - Central 篇Johnny Sung
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
Android Things in action
Android Things in actionAndroid Things in action
Android Things in actionStefano Sanna
 
WebAPIs & Apps - Mozilla London
WebAPIs & Apps - Mozilla LondonWebAPIs & Apps - Mozilla London
WebAPIs & Apps - Mozilla LondonRobert Nyman
 
Real World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsReal World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsBen Hall
 
[JMaghreb 2014] Developing JavaScript Mobile Apps Using Apache Cordova
[JMaghreb 2014] Developing JavaScript Mobile Apps Using Apache Cordova[JMaghreb 2014] Developing JavaScript Mobile Apps Using Apache Cordova
[JMaghreb 2014] Developing JavaScript Mobile Apps Using Apache CordovaHazem Saleh
 
Make WordPress realtime.
Make WordPress realtime.Make WordPress realtime.
Make WordPress realtime.Josh Hillier
 
Average- An android project
Average- An android projectAverage- An android project
Average- An android projectIpsit Dash
 
Automated infrastructure is on the menu
Automated infrastructure is on the menuAutomated infrastructure is on the menu
Automated infrastructure is on the menujtimberman
 
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js MicroservicesIBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js MicroservicesChris Bailey
 

Semelhante a Geo Bugs May Leak User Location (20)

Running Django on Docker: a workflow and code
Running Django on Docker: a workflow and codeRunning Django on Docker: a workflow and code
Running Django on Docker: a workflow and code
 
Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W...
Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W... Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W...
Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W...
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
Introduction to Apache Cordova (Phonegap)
Introduction to Apache Cordova (Phonegap)Introduction to Apache Cordova (Phonegap)
Introduction to Apache Cordova (Phonegap)
 
How to use geolocation in react native apps
How to use geolocation in react native appsHow to use geolocation in react native apps
How to use geolocation in react native apps
 
LUMIA APP LABS: HERE MAPS AND LOCATION APIS FOR WINDOWS PHONE
LUMIA APP LABS: HERE MAPS AND LOCATION APIS FOR WINDOWS PHONELUMIA APP LABS: HERE MAPS AND LOCATION APIS FOR WINDOWS PHONE
LUMIA APP LABS: HERE MAPS AND LOCATION APIS FOR WINDOWS PHONE
 
Docker In Bank Unrated
Docker In Bank UnratedDocker In Bank Unrated
Docker In Bank Unrated
 
Phone Gap
Phone GapPhone Gap
Phone Gap
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
 
Everything About Bluetooth (淺談藍牙 4.0) - Central 篇
Everything About Bluetooth (淺談藍牙 4.0) - Central 篇Everything About Bluetooth (淺談藍牙 4.0) - Central 篇
Everything About Bluetooth (淺談藍牙 4.0) - Central 篇
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile apps
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introduction
 
Android Things in action
Android Things in actionAndroid Things in action
Android Things in action
 
WebAPIs & Apps - Mozilla London
WebAPIs & Apps - Mozilla LondonWebAPIs & Apps - Mozilla London
WebAPIs & Apps - Mozilla London
 
Real World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsReal World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js Applications
 
[JMaghreb 2014] Developing JavaScript Mobile Apps Using Apache Cordova
[JMaghreb 2014] Developing JavaScript Mobile Apps Using Apache Cordova[JMaghreb 2014] Developing JavaScript Mobile Apps Using Apache Cordova
[JMaghreb 2014] Developing JavaScript Mobile Apps Using Apache Cordova
 
Make WordPress realtime.
Make WordPress realtime.Make WordPress realtime.
Make WordPress realtime.
 
Average- An android project
Average- An android projectAverage- An android project
Average- An android project
 
Automated infrastructure is on the menu
Automated infrastructure is on the menuAutomated infrastructure is on the menu
Automated infrastructure is on the menu
 
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js MicroservicesIBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
 

Geo Bugs May Leak User Location

  • 2. “sources a global contingent of vetted security experts worldwide and pays them on an incentivized basis to discover security vulnerabilities in our customers’ web apps, mobile apps, and infrastructure endpoints.” ABOUT always looking for more experts! @colbymoore /VRL  /SYNACK vetted researchers internal R&D backed by google
  • 3. geolocation bugs, hacks, & fixes AN OUTLINE all things geo case study fixes/conclusions } } code bugs lots of bugs tracking users
  • 5. incorporating geolocation is the norm GEOLOCATION IN MOBILE APPS 74% of smart phone users get info based on their phone’s current location Use Geo No Geo social recommendations tracking health & fitness commerce navigation “84%  inquire  about  location”
  • 6. HOW IS GEOLOCATION ACCOMPLISHED (IOS)? create delegate start “The CLLocationManager class is the central point for configuring the delivery of location-related events to your app.” apple.com wait/handle using the Core Location Manager
  • 7. ‘doing it’ in Swift GEOLOCATION (IOS) //required  framework       import  CoreLocation   //conform  to  CLLocationManagerDelegate   class  ViewController:  UIViewController,  CLLocationManagerDelegate  {        //[1]  CREATE  (instance  of)  location  manager        let  locationManager  =  CLLocationManager()    //app  delegate  function        override  func  viewDidLoad()  {            //[2]  set  DELEGATE            self.locationManager.delegate  =  self;                              //request  auth            self.locationManager.requestWhenInUseAuthorization()                            //[3]  START  collecting  location          self.locationManager.startUpdatingLocation()
      }        //[4]  WAIT/HANDLE,  delegate  (callback)  function        func  locationManager(manager:  CLLocationManager!,  didUpdateLocations  locations:  [AnyObject]!)  {
      
            //do  whateverz
            //  -­‐>user’s  location  is  in  manager.location.coordinate.(longitude/latitude)        }   }  
  • 8. os-level alerts GEOLOCATION (I)OS LEVEL PROTECTIONS NSLocationWhenInUseUsageDescription: //request  auth  for  foreground   self.locationManager.requestWhenInUseAuthorization() App’s  Info.plist iOS alert code for auth request “allow the app to get location updates only when the app is in the foreground”
  • 9. os-level alerts GEOLOCATION (I)OS LEVEL PROTECTIONS //request  auth  for  foreground   self.locationManager.requestAlwaysAuthorization() App’s  Info.plist iOS alert code for auth request “allows the app to receive location updates both when the app is in the foreground and in the background (suspended or terminated)” NSLocationAlwaysUsageDescription:
  • 10. …bad for users! GEO CAN ‘LEAK’ IF THE APPLICATION IS BUGGY “the government” hackers “spies could be lurking to snatch data revealing the [app] player’s location” -nytimes.com thieves criminals
  • 11. …so what!? THEY KNOW YOUR LOCATION “investigators said the suspects used social networking sites such as Facebook to identify victims who posted online that they would not be home at a certain time” 
 -thieves robbed homes based on facebook [3] “a [geo]location allows perpetrators the perfect window to commit a burglary, vandalism, or even a home invasion” 
 -criminal use of social media [2] “[geolocation] generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations” 
 -u.s. v. jones [1] 1) http://scholarship.kentlaw.iit.edu/cgi/viewcontent.cgi?article=3332&context=fac_schol
 2) http://www.nw3c.org/docs/whitepapers/criminal-use-of-social-media.pdf
 3) http://www.wmur.com/Police-Thieves-Robbed-Homes-Based-On-Facebook-Social-Media-Sites/11861116
  • 12. can compromise a user’s physical location COMMON CLASSES OF GEO BUGZ insecure network comms insecure local storage location spoofing buggy server-side APIs overly precise location UI errors/validation
  • 13. may allow passive attackers access to geo INSECURE NETWORK COMMS insecure network
 comms use unencrypted comms allow self-signed certificates forget to pin certificates do not do these things!
  • 14. find such bugs with a proxy INSECURE NETWORK COMMS https:// https:// http:// proxy (burp) config device config
  • 15. does the app accept self-signed certificates? INSECURE NETWORK COMMS MOVT  R8,  #(:upper16:(classRef_NSURLRequest  -­‐  0xC254))   ADD    R8,  PC  ;  classRef_NSURLRequest   MOV    R2,  #(selRef_setAllowsAnyHTTPSCertificate_forHost_  -­‐  0xC2A4)   ADD    R2,  PC   LDR    R4,  [R2]       ;"setAllowsAnyHTTPSCertificate:forHost:"         LDR    R5,  [R8]       ;_OBJC_CLASS_$_NSURLRequest         MOV    R0,  R5         ;_OBJC_CLASS_$_NSURLRequest               MOV    R1,  R4         ;"setAllowsAnyHTTPSCertificate:forHost:"               MOVS  R2,  #1         ;’YES’               MOV    R3,  R8         ;  the  host               BLX    _objc_msgSend   class method allowing a self-signed certificate (iOS) setAllowsAnyHTTPSCertificate:forHost: invoke method
  • 16. did the app forget to pin certificates? INSECURE NETWORK COMMS non-jailbroken device + hacker’s cert can  MitM  the  connection “SSL pinning is a extra layer of security that ensures a client will only communicate with a well-defined set of servers”
  • 17. stolen or lost phones may compromise user’s geo INSECURE LOCAL STORAGE insecure local storage store in unencrypted files again, bad! } plists logfilesdatabases
  • 18. find such bugs with filemon & fileDP INSECURE LOCAL STORAGE  //dump  file  attributes     NSLog(@"attrs: %@", [[[NSFileManager defaultManager] attributesOfItemAtPath:path error:nil] objectForKey:NSFileProtectionKey]); display file’s protection attributes (iOS) #  ./filemon   Wheres_Waldo  Created    /Application  Support/analytics/location.db-­‐journal   DEV:  1,3  INODE:  121171  MODE:  81a4  UID:  501  GID:  501  Arg64:  300649589561   Wheres_Waldo  Renamed  /Preferences/lastKnownLocation.plist.l0mitdo   DEV:  1,3  INODE:  121172  MODE:  8180  UID:  501  GID:  501 monitoring app’s file I/O
  • 19. on iOS, always check the user’s default plist INSECURE LOCAL STORAGE MOV  R1,  #(selRef_standardUserDefaults-­‐0x5917A)   ADD  R1,  PC   LDR  R1,  [R1]          ;"standardUserDefaults"   MOV  R0,  #(classRef_NSUserDefaults-­‐0x591A2)   ADD  R0,  PC     LDR  R0,  [R0]          ;_OBJC_CLASS_$_NSUserDefaults   BLX  _objc_msgSend  ;[NSUserDefaults  standardUserDefaults]   MOV  R3,  #(cfstr_geoInfo-­‐0x591D6)   ADD  R3,  PC                ;"geoInfo"   LDR  R2,  [SP,#0xB4+usersGeo]     ;geo  data   MOV  R1,  #(selRef_setObject_forKey_-­‐0x591D6)   ADD  R1,  PC   LDR  R1,  [R1]          ;"setObject:forKey:"   BLX  _objc_msgSend  ;[userDefaults  setObject:  forKey:] app’s  /Library/Preferences/ with NSFileProtectionNone App’s IDA disassembly App’s ‘User Defaults’ plist <dict>      <key>geoInfo</key>      <dict>
        <key>homeLong</key>
        <real>73.242539</real>
        <key>homeLat</key>
        <real>34.169308</real>          ...
    </dict>    </dict>
  • 20. don’t trust geolocation from the client LOCATION SPOOFING location spoofing be careful if you do this! explicitly trust client-side geo allow client’s (device’s) location to rapidly change } user auth access to ‘relative’ data
  • 21. find such bugs by manipulating reported geo LOCATION SPOOFING edit to spoof geo! editing network dataz cycript (runtime manipulations) location spoofing apps (from Cydia) or
  • 22. do apps really need precision to 12 decimal places?! OVER PRECISE LOCATION over precise location treat with care! collect geolocation as precise as possible long: 73.242539906632… ~1km ~1m ~1mm don’t specify a ‘desired accuracy’ (iOS defaults to highest)
  • 23. sniffing (network or file I/O) or look at disassembly OVER PRECISE LOCATION //create  instance  of  location  manager   let  locationManager  =  CLLocationManager()   //set  ‘desired  accuracy’   locationManager.desiredAccuracy  =  kCLLocationAccuracyBest;   MOV        R4,  #(_kCLLocationAccuracyBest_ptr  -­‐  0xACD8)     ADD        R4,  PC,  R4                                                                  ;  _kCLLocationAccuracyBest_ptr   LDR        R4,  [R4]                                                                      ;  _kCLLocationAccuracyBest   VLDR      D16,  [R4]   VMOV      R2,  R3,  D16                                                                ;  R2  contains  _kCLLocationAccuracyBest   LDR        R1,  [SP,#0xF8+selRef_setDesiredAccuracy]   LDR        R1,  [R1]                                                                    ;  R1  contains  selRef_setDesiredAccuracy               ;R0  has  locationManager  object       LDR        R9,  [SP,#0xF8+objc_msgSend]                                  ;  __imp__objc_msgSend   ;  objc_msgSend(locationManager,  “setDesiredAccuracy”,  _kCLLocationAccuracyBest);   BLX        R9                                       IDA disassembly setting ‘desired accuracy'
  • 24. unprotected APIs may provide geo INSECURE SERVER-SIDE APIS insecure server-side APIs assume undocumented APIs are hidden allow unlimited (un-throttled) queries provide unrestricted geo all bad assumptions/ideas! allow unauthorized queries
  • 25. sniffing network traffic often reveals undocumented API INSECURE SERVER-SIDE APIS holy $#!@, did we just find Carmen Sandiego!? ;) intercepted outgoing request modified request changed user
  • 26. what lurks below? USER-INTERFACE user interface assume the UI is ‘secure’ implement client-side protection (in the UI) all bad assumptions/ideas! ignore user settings
  • 27. don’t enforce anything at the UI level USER INTERFACE OR } ui settings ignored! ui level logic 
 (e.g. precision rounding) client location still sent to server precise geolocation (of other users) sent to device
  • 28. buggy apps that compromised a user’s physical location EXAMPLE OF GEO BUGS starbucks whisper angry birds grindr tinder case-study
  • 29. overpriced coffee, plus a shot of geo tracking STARBUCKS [CVE-2014-0647] Insecure Data Storage of User Data in Starbucks v2.6.1 iOS mobile application (Daniel Wood) /Library/Caches/com.crashlytics.data/ com.starbucks.mystarbucks/session.clslog “[unencrypted] geolocation data included alongside username and password data, meaning that hackers can potentially see where a user most often traveled if they were to access the phone”
  • 30. “the safest place on the internet” - NOPE WHISPER users monitored/tracked (even if opt’d out) geo stored ‘indefinitely’ shared with the DOD “”Revealed: how Whisper app tracks ‘anonymous’ users” -the guardian
  • 31. precise geo of nearby users, allowed tracking TINDER tinder user trilateration 
 (blog.includesecurity.com) main_photo_url = photos[0]['url'] matches ‘tinderizer’ facebook profiles
  • 32. …‘they’ are watching you play ANGRY BIRDS “the ABC have been developing capabilities to take advantage of "leaky" smartphone apps, such as the wildly popular Angry Birds game, that transmit users' private information [geo]” 
 -the guardian
  • 33. Case Study - Grindr many, many #$&@ up’s
  • 34. (all-male) social-dating app WHAT’S GRINDR? “the largest and most popular all-male location-based social network out there. more than 5 million guys in 192 countries around the world -- and approximately 10,000 more new users downloading the app every day” 
 -grindr.com all about geo extremely popular targeted group
  • 35. Those who cannot learn from history are doomed to repeat it GRINDR’S PREVIOUS ISSUES 2012: “Love online: 100,000 Grindr users exposed in hack attack” 
 -sydney morning herald 2013: Grindr Application Security Evaluation Report 
 -university of amsterdam 2014: “Grindr fails to protect user's”
 -anonymous (pastebin) 2014: Grindr Application Analysis -synack
  • 36. “0 Feet Away” GRINDR (CASE STUDY) lack of SSL pinning overly precise geo location spoofing overly permissible APIs broken ui level logic sharing geo
 client side precision yes, so much wrong!
  • 37. the app does not pin its certs BUG 0X1: LACK OF SSL PINNING login info user geolocation
  • 38. the app reported (overly) precise relative distances BUG 0X2: REPORTING OF PRECISE GEO primus.grindr.com
 POST /2.0/nearbyProfiles {"status":  1,  "distance":  3.861290174942267,   "relationshipStatus":  1,  "displayName":  "Waldo",  
 "isFavorite":  false,  "showDistance":  true,  
 "height":  187.960006713867,"profileId":  12345678,  …}   response 3.861290174942267 
 km away
  • 39. even newer versions may reveal precise location BUG 0X2: REPORTING OF PRECISE GEO //create  instance  of  location  manager   let  locationManager  =  CLLocationManager()   //set  ‘desired  accuracy’   locationManager.desiredAccuracy  =                                                  kCLLocationAccuracyNearestTenMeters;   10 meter location reporting office
  • 40. can spoof your location…as much as you want BUG 0X3: LOCATION SPOOFING geolocation coordinates for locating ‘nearby’ users change these at will! trilateration?
  • 41. unauthenticated, unlimited access to APIs BUG 0X4: WIDE-OPEN APIS { "filter":{ "page":1, "quantity":50 }, "lat":<any lat>, "lon":<any lon> } primus.grindr.com
 POST /2.0/nearbyProfiles name height weight relative distance request for users’ info user info
  • 42. what you see/say isn’t what you get BUG 0X5: ‘BROKEN’ UI LEVEL LOGIC OR } if !showDistance { hide distance }
 + settings + settings UI level logic srsly? wtf!
  • 43. our goal was to help Grindr under the issues DISCLAIMER during vulnerability research and disclosure no individual users were intentionally or unintentionally identified all data logged has been irrecoverably destroyed. The purpose of this research was not to identify Grindr users but to help protect those that wish to remain private.
  • 44. combining bugs can lead “total tracking” IT'S MORPHIN' TIME wide-open APIs precise relative geo location spoofing + + = tracking of any user anywhere!
  • 45. query the APIs to get info about all ‘nearby’ users COLLECTION DATAZ $  python  collectInfo.py  -­‐o  output.json    [+]  sent  request  to:  primus.grindr.com
          POST  /2.0/nearbyProfiles      [+]  saving  response  (50  users) $  less  output.json    "profiles":  [{                                  "profileId":  314159265,                                  "displayName":  "Waldo",                                  "aboutMe":  "Where  am  I?",                                  "distance":  0.4980983433684       },       ... request response
  • 46. determine absolute location from relative distances TRILATERATION “trilateration is the process of determining absolute locations by measurement of (relative) distances, using the geometry of circles, spheres or triangles.” $  python  findUser.py  -­‐i  314159265   [+]  making  query  1,  2,  3          got  three  relative  distances
 [+]  converting  geodetic  lat/long  to  ECEF
 [+]  transforming      circle  1  at  origin,  circle  2  on  x  axis,  etc   [+]  generating  array  with  ECEF  x,y,z     [+]  converting  ECEF  back  to  lat/long
 [+]  user  is  at:  73.242539906632,  34.169308121551 trilateration script
  • 47. so lets map some users USER LOCATION San Francisco Sochi (olympics) stores capitols
  • 48. so lets track some willing users USER TRACKING your life; revealed
  • 49. it’d be trivial to reveal anonymous user’s identities IDENTIFYING USERS picture geo tracking from profile name home work } revealed!
  • 50. …didn’t care :/ REPORTING TO GRINDR early 2014 - initial disclosure to vendor followups included conference calls, technical write-ups, & POCs didn’t fix anything “we do not view this as a security flaw”
 -grindr.com/blog/grindr-security
  • 51. …sadly it came to this to get (some) fixes CAT GOT OUT OF THE BAG “Egyptian officials have resorted to using location- based dating app Grindr to arrest gay men" “Grindr fails to protect their user’s” - anonymous (pastebin) people’s lives affected :(
  • 52. fixes & current issues GRINDR RESPONSE } user’s settings respected geofencing (in Egypt, etc.) geolocation kCLLocationAccuracyNearestTenMeters } no SSL pinning open APIs spoofing still can track most users! no rate limiting
  • 54. for users and app developers alike BEST PRACTICES assume you can be tracked disallow tracking at the OS level user developer secure comms secure local storage protected APIs non-precise geo correct UI logic } where’s waldo?!
  • 56. credits - thezooom.com - deviantart.com (FreshFarhan) - nicolevanputten.com - http://agentfox.deviantart.com/art/chuck-Norris-hunting-waldo-42939561 - http://fc09.deviantart.net/fs70/f/2010/154/3/9/Waldo_by_MattMelvin.jpg - http://th05.deviantart.net/fs71/PRE/i/2013/250/c/c/where_s_waldo_by_katanauser98-d6lgepy.png 
 - iconmonstr.com - flaticon.com images