2. “sources a global contingent of vetted security experts worldwide and
pays them on an incentivized basis to discover security vulnerabilities in
our customers’ web apps, mobile apps, and infrastructure endpoints.”
ABOUT
always looking for
more experts!
@colbymoore
/VRL
/SYNACK
vetted researchers
internal R&D
backed by google
3. geolocation bugs, hacks, & fixes
AN OUTLINE
all things geo case study fixes/conclusions
}
}
code bugs
lots of bugs
tracking users
5. incorporating geolocation is the norm
GEOLOCATION IN MOBILE APPS
74% of smart phone users get info
based on their phone’s current location
Use Geo
No Geo
social
recommendations
tracking
health & fitness
commerce
navigation
“84%
inquire
about
location”
6. HOW IS GEOLOCATION ACCOMPLISHED (IOS)?
create delegate start
“The CLLocationManager class is the central point
for configuring the delivery of location-related events
to your app.” apple.com
wait/handle
using the Core Location Manager
7. ‘doing it’ in Swift
GEOLOCATION (IOS)
//required
framework
import
CoreLocation
//conform
to
CLLocationManagerDelegate
class
ViewController:
UIViewController,
CLLocationManagerDelegate
{
//[1]
CREATE
(instance
of)
location
manager
let
locationManager
=
CLLocationManager()
//app
delegate
function
override
func
viewDidLoad()
{
//[2]
set
DELEGATE
self.locationManager.delegate
=
self;
//request
auth
self.locationManager.requestWhenInUseAuthorization()
//[3]
START
collecting
location
self.locationManager.startUpdatingLocation()
}
//[4]
WAIT/HANDLE,
delegate
(callback)
function
func
locationManager(manager:
CLLocationManager!,
didUpdateLocations
locations:
[AnyObject]!)
{
//do
whateverz
//
-‐>user’s
location
is
in
manager.location.coordinate.(longitude/latitude)
}
}
8. os-level alerts
GEOLOCATION (I)OS LEVEL PROTECTIONS
NSLocationWhenInUseUsageDescription:
//request
auth
for
foreground
self.locationManager.requestWhenInUseAuthorization()
App’s
Info.plist
iOS alert
code for auth request
“allow the app to get location updates
only when the app is in the foreground”
9. os-level alerts
GEOLOCATION (I)OS LEVEL PROTECTIONS
//request
auth
for
foreground
self.locationManager.requestAlwaysAuthorization()
App’s
Info.plist
iOS alert
code for auth request
“allows the app to receive location updates
both when the app is in the foreground and in
the background (suspended or terminated)”
NSLocationAlwaysUsageDescription:
10. …bad for users!
GEO CAN ‘LEAK’ IF THE APPLICATION IS BUGGY
“the government”
hackers
“spies could be lurking to snatch data
revealing the [app] player’s location”
-nytimes.com
thieves
criminals
11. …so what!?
THEY KNOW YOUR LOCATION
“investigators said the suspects used social networking
sites such as Facebook to identify victims who posted
online that they would not be home at a certain time”
-thieves robbed homes based on facebook [3]
“a [geo]location allows perpetrators the perfect window to
commit a burglary, vandalism, or even a home invasion”
-criminal use of social media [2]
“[geolocation] generates a precise, comprehensive record
of a person’s public movements that reflects a wealth of
detail about her familial, political, professional, religious,
and sexual associations”
-u.s. v. jones [1]
1) http://scholarship.kentlaw.iit.edu/cgi/viewcontent.cgi?article=3332&context=fac_schol
2) http://www.nw3c.org/docs/whitepapers/criminal-use-of-social-media.pdf
3) http://www.wmur.com/Police-Thieves-Robbed-Homes-Based-On-Facebook-Social-Media-Sites/11861116
12. can compromise a user’s physical location
COMMON CLASSES OF GEO BUGZ
insecure network
comms
insecure local
storage
location spoofing
buggy server-side APIs
overly precise location
UI errors/validation
13. may allow passive attackers access to geo
INSECURE NETWORK COMMS
insecure network
comms
use unencrypted comms
allow self-signed certificates
forget to pin certificates
do not do these things!
14. find such bugs with a proxy
INSECURE NETWORK COMMS
https://
https://
http://
proxy (burp) config
device config
15. does the app accept self-signed certificates?
INSECURE NETWORK COMMS
MOVT
R8,
#(:upper16:(classRef_NSURLRequest
-‐
0xC254))
ADD
R8,
PC
;
classRef_NSURLRequest
MOV
R2,
#(selRef_setAllowsAnyHTTPSCertificate_forHost_
-‐
0xC2A4)
ADD
R2,
PC
LDR
R4,
[R2]
;"setAllowsAnyHTTPSCertificate:forHost:"
LDR
R5,
[R8]
;_OBJC_CLASS_$_NSURLRequest
MOV
R0,
R5
;_OBJC_CLASS_$_NSURLRequest
MOV
R1,
R4
;"setAllowsAnyHTTPSCertificate:forHost:"
MOVS
R2,
#1
;’YES’
MOV
R3,
R8
;
the
host
BLX
_objc_msgSend
class
method
allowing a self-signed certificate (iOS)
setAllowsAnyHTTPSCertificate:forHost:
invoke method
16. did the app forget to pin certificates?
INSECURE NETWORK COMMS
non-jailbroken device
+
hacker’s cert
can
MitM
the
connection
“SSL pinning is a extra layer of security that
ensures a client will only communicate with
a well-defined set of servers”
17. stolen or lost phones may compromise user’s geo
INSECURE LOCAL STORAGE
insecure local
storage
store in unencrypted files
again, bad!
}
plists logfilesdatabases
19. on iOS, always check the user’s default plist
INSECURE LOCAL STORAGE
MOV
R1,
#(selRef_standardUserDefaults-‐0x5917A)
ADD
R1,
PC
LDR
R1,
[R1]
;"standardUserDefaults"
MOV
R0,
#(classRef_NSUserDefaults-‐0x591A2)
ADD
R0,
PC
LDR
R0,
[R0]
;_OBJC_CLASS_$_NSUserDefaults
BLX
_objc_msgSend
;[NSUserDefaults
standardUserDefaults]
MOV
R3,
#(cfstr_geoInfo-‐0x591D6)
ADD
R3,
PC
;"geoInfo"
LDR
R2,
[SP,#0xB4+usersGeo]
;geo
data
MOV
R1,
#(selRef_setObject_forKey_-‐0x591D6)
ADD
R1,
PC
LDR
R1,
[R1]
;"setObject:forKey:"
BLX
_objc_msgSend
;[userDefaults
setObject:
forKey:]
app’s
/Library/Preferences/
with NSFileProtectionNone
App’s IDA disassembly
App’s ‘User Defaults’ plist
<dict>
<key>geoInfo</key>
<dict>
<key>homeLong</key>
<real>73.242539</real>
<key>homeLat</key>
<real>34.169308</real>
...
</dict>
</dict>
20. don’t trust geolocation from the client
LOCATION SPOOFING
location spoofing
be careful if you do this!
explicitly trust client-side geo
allow client’s (device’s)
location to rapidly change
}
user auth
access to
‘relative’ data
21. find such bugs by manipulating reported geo
LOCATION SPOOFING
edit to spoof geo!
editing network dataz
cycript (runtime manipulations)
location spoofing apps (from Cydia)
or
22. do apps really need precision to 12 decimal places?!
OVER PRECISE LOCATION
over precise
location
treat with care!
collect geolocation as precise
as possible
long: 73.242539906632…
~1km ~1m ~1mm
don’t specify a ‘desired accuracy’
(iOS defaults to highest)
24. unprotected APIs may provide geo
INSECURE SERVER-SIDE APIS
insecure server-side
APIs
assume undocumented APIs are hidden
allow unlimited (un-throttled) queries
provide unrestricted geo
all bad assumptions/ideas!
allow unauthorized queries
25. sniffing network traffic often reveals undocumented API
INSECURE SERVER-SIDE APIS
holy $#!@, did we just find Carmen Sandiego!? ;)
intercepted outgoing request modified request
changed user
26. what lurks below?
USER-INTERFACE
user interface
assume the UI is ‘secure’
implement client-side
protection (in the UI)
all bad assumptions/ideas!
ignore user settings
27. don’t enforce anything at the UI level
USER INTERFACE
OR
}
ui settings ignored!
ui level logic
(e.g. precision rounding)
client location still
sent to server
precise geolocation (of other users)
sent to device
28. buggy apps that compromised a user’s physical location
EXAMPLE OF GEO BUGS
starbucks whisper
angry birds
grindr
tinder
case-study
29. overpriced coffee, plus a shot of geo tracking
STARBUCKS
[CVE-2014-0647] Insecure Data Storage of User Data in
Starbucks v2.6.1 iOS mobile application (Daniel Wood)
/Library/Caches/com.crashlytics.data/
com.starbucks.mystarbucks/session.clslog
“[unencrypted] geolocation data included alongside
username and password data, meaning that hackers can
potentially see where a user most often traveled if they
were to access the phone”
30. “the safest place on the internet” - NOPE
WHISPER
users monitored/tracked
(even if opt’d out)
geo stored ‘indefinitely’
shared with the DOD
“”Revealed: how Whisper app tracks ‘anonymous’ users”
-the guardian
31. precise geo of nearby users, allowed tracking
TINDER
tinder user trilateration
(blog.includesecurity.com)
main_photo_url =
photos[0]['url']
matches
‘tinderizer’
facebook profiles
32. …‘they’ are watching you play
ANGRY BIRDS
“the ABC have been developing capabilities to
take advantage of "leaky" smartphone apps,
such as the wildly popular Angry Birds game,
that transmit users' private information [geo]”
-the guardian
34. (all-male) social-dating app
WHAT’S GRINDR?
“the largest and most popular all-male location-based
social network out there. more than 5 million guys in 192
countries around the world -- and approximately 10,000
more new users downloading the app every day”
-grindr.com
all about
geo
extremely
popular
targeted
group
35. Those who cannot learn from history are doomed to repeat it
GRINDR’S PREVIOUS ISSUES
2012: “Love online: 100,000 Grindr
users exposed in hack attack”
-sydney morning herald
2013: Grindr Application Security
Evaluation Report
-university of amsterdam
2014: “Grindr fails to protect user's”
-anonymous (pastebin)
2014: Grindr Application Analysis
-synack
36. “0 Feet Away”
GRINDR (CASE STUDY)
lack of SSL pinning
overly precise geo
location spoofing
overly permissible APIs
broken ui level logic
sharing geo
client side precision
yes, so much wrong!
37. the app does not pin its certs
BUG 0X1: LACK OF SSL PINNING
login info
user geolocation
38. the app reported (overly) precise relative distances
BUG 0X2: REPORTING OF PRECISE GEO
primus.grindr.com
POST /2.0/nearbyProfiles
{"status":
1,
"distance":
3.861290174942267,
"relationshipStatus":
1,
"displayName":
"Waldo",
"isFavorite":
false,
"showDistance":
true,
"height":
187.960006713867,"profileId":
12345678,
…}
response
3.861290174942267
km away
39. even newer versions may reveal precise location
BUG 0X2: REPORTING OF PRECISE GEO
//create
instance
of
location
manager
let
locationManager
=
CLLocationManager()
//set
‘desired
accuracy’
locationManager.desiredAccuracy
=
kCLLocationAccuracyNearestTenMeters;
10 meter
location reporting
office
40. can spoof your location…as much as you want
BUG 0X3: LOCATION SPOOFING
geolocation coordinates for
locating ‘nearby’ users
change these at will!
trilateration?
41. unauthenticated, unlimited access to APIs
BUG 0X4: WIDE-OPEN APIS
{
"filter":{
"page":1,
"quantity":50
},
"lat":<any lat>,
"lon":<any lon>
}
primus.grindr.com
POST /2.0/nearbyProfiles
name height weight relative
distance
request for users’ info
user info
42. what you see/say isn’t what you get
BUG 0X5: ‘BROKEN’ UI LEVEL LOGIC
OR
}
if !showDistance
{
hide distance
}
+ settings
+ settings
UI level logic
srsly? wtf!
43. our goal was to help Grindr under the issues
DISCLAIMER
during vulnerability research and disclosure no individual
users were intentionally or unintentionally identified
all data logged has been irrecoverably destroyed.
The purpose of this research was not to identify Grindr
users but to help protect those that wish to remain private.
44. combining bugs can lead “total tracking”
IT'S MORPHIN' TIME
wide-open APIs
precise relative geo
location spoofing
+
+
=
tracking of any user
anywhere!
45. query the APIs to get info about all ‘nearby’ users
COLLECTION DATAZ
$
python
collectInfo.py
-‐o
output.json
[+]
sent
request
to:
primus.grindr.com
POST
/2.0/nearbyProfiles
[+]
saving
response
(50
users)
$
less
output.json
"profiles":
[{
"profileId":
314159265,
"displayName":
"Waldo",
"aboutMe":
"Where
am
I?",
"distance":
0.4980983433684
},
...
request
response
46. determine absolute location from relative distances
TRILATERATION
“trilateration is the process of determining absolute
locations by measurement of (relative) distances, using
the geometry of circles, spheres or triangles.”
$
python
findUser.py
-‐i
314159265
[+]
making
query
1,
2,
3
got
three
relative
distances
[+]
converting
geodetic
lat/long
to
ECEF
[+]
transforming
circle
1
at
origin,
circle
2
on
x
axis,
etc
[+]
generating
array
with
ECEF
x,y,z
[+]
converting
ECEF
back
to
lat/long
[+]
user
is
at:
73.242539906632,
34.169308121551
trilateration script
47. so lets map some users
USER LOCATION
San Francisco
Sochi (olympics)
stores
capitols
48. so lets track some willing users
USER TRACKING
your life; revealed
49. it’d be trivial to reveal anonymous user’s identities
IDENTIFYING USERS
picture
geo tracking
from profile name
home work
} revealed!
50. …didn’t care :/
REPORTING TO GRINDR
early 2014 - initial disclosure to vendor
followups included
conference calls, technical write-ups, & POCs
didn’t fix anything
“we do not view this as a security flaw”
-grindr.com/blog/grindr-security
51. …sadly it came to this to get (some) fixes
CAT GOT OUT OF THE BAG
“Egyptian officials have resorted to using location-
based dating app Grindr to arrest gay men"
“Grindr fails to protect their user’s” -
anonymous (pastebin)
people’s lives affected :(
52. fixes & current issues
GRINDR RESPONSE
}
user’s settings respected
geofencing (in Egypt, etc.)
geolocation
kCLLocationAccuracyNearestTenMeters
}
no SSL pinning open APIs spoofing
still can track
most users!
no rate limiting
54. for users and app developers alike
BEST PRACTICES
assume you can be tracked
disallow tracking at the OS level
user
developer
secure comms
secure local storage
protected APIs
non-precise geo
correct UI logic
}
where’s waldo?!