Mobile apps are truly ubiquitous and enhance our lives in many ways. However, many either leak or insecurely handle geolocation data, affording an attacker the ability to locate, track, or even determine a user’s identity. This talk describes classes of geolocation vulnerabilities, how apps may be audited to find such bugs, and best practices to ensure users remain protected. To provide a more 'hands-on' feel, real world case studies are presented to demonstrate attacks uncovered by Synack researchers. The talk will begin with a technical overview of geolocation capabilities in mobile OSs and how apps may access a user's location. Next the talk will identify common classes of geolocation bugs and illustrate how developers often utilize a user's location in an insecure manner. One example, since geolocation APIs may default to the highest level of accuracy, a user's precise location may be revealed if not properly secured (on the device, in transit, or in the cloud). Unfortunately, as our case studies show, such bugs are alarmingly common (numerous popular applications will be mentioned). A specific case study on Grindr (a common dating app), will be presented to illustrate a myriad of geolocation bugs that placed its users in harm’s way (see: 'Grindr vulnerability places men in harm's way' http://goo.gl/dg4cs6). First, due to the lack of SSL pinning, we present a MitM attack that reveals the user's exact location. Following this, we demonstrate a scalable remote attack. This attack combined several bugs, including the fact that the app reported (to anybody), the precise relative distance of all 'near-by' users. With these distances and the ability to spoof one's location and perform unlimited requests, trilateration could precisely locate and track users world-wide. Unfortunately though we reported the bugs, patches only appeared after it was reported that the Egyptian government was tracking and arresting Grindr users. Step by step demonstrations will be given, showing how we were able to harvest data and run calculations to determine tens of thousands of user's locations in real time. But it would be silly if we stopped there... Leveraging our capability we demonstrate a custom framework developed to map patterns of life and subsequently correlate these patters to true identity. By setting "hot spots" in our framework (think celebrity homes or US capitols) we can monitor target locations for user activity - potentially exposing identities of parties that may traditionally wish to remain private such as celebrities, athletes, and politicians. And yes, it works ;).

1. @patrickwardle@colbymoore

2. “sources a global contingent of vetted security experts worldwide and
pays them on an incentivized basis to discover security vulnerabilities in
our customers’ web apps, mobile apps, and infrastructure endpoints.”
ABOUT (US)
@patrick
wardle
/NASA
/NSA
/VRL
/SYNACK
always looking for
more experts!
@colbymoore
/VRL
/SYNACK
vetted researchers
internal R&D
backed by google

3. geolocation bugs, hacks, & fixes
AN OUTLINE
all things geo case study fixes/conclusions
}
}
code bugs
lots of bugs
tracking users

4. ALL THINGS GEO
overview, code, & bugs

5. incorporating geolocation is the norm
GEOLOCATION IN MOBILE APPS
74% of smart phone users get info
based on their phone’s current location
Use Geo
No Geo
social
recommendations
health & fitness
commerce
navigation
“84%
inquire
about
location”

6. HOW IS GEOLOCATION ACCOMPLISHED (IOS)?
create delegate start
“The CLLocationManager class is the central point
for configuring the delivery of location-related events
to your app.” apple.com
wait/handle
using the Core Location Manager

7. ‘doing it’ in Swift
GEOLOCATION (IOS)
//required
framework
import
CoreLocation
//conform
to
CLLocationManagerDelegate
class
ViewController:
UIViewController,
CLLocationManagerDelegate
{
//[1]
CREATE
(instance
of)
location
manager
let
locationManager
=
CLLocationManager()
//app
delegate
function
override
func
viewDidLoad()
{
//[2]
set
DELEGATE
self.locationManager.delegate
=
self;
//request
auth
self.locationManager.requestWhenInUseAuthorization()
//[3]
START
collecting
location
self.locationManager.startUpdatingLocation()
}
//[4]
WAIT/HANDLE,
delegate
(callback)
function
func
locationManager(manager:
CLLocationManager!,
didUpdateLocations
locations:
[AnyObject]!)
{
//do
whateverz
//
-­‐>user’s
location
is
in
manager.location.coordinate.(latitude/longitude)
}
}

8. os-level alerts
GEOLOCATION (I)OS LEVEL PROTECTIONS
NSLocationWhenInUseUsageDescription:
//request
auth
for
foreground
self.locationManager.requestWhenInUseAuthorization()
App’s
Info.plist
iOS alert
code for auth request
“allow the app to get location updates
only when the app is in the foreground”

9. os-level alerts
GEOLOCATION (I)OS LEVEL PROTECTIONS
//request
auth
for
foreground
self.locationManager.requestAlwaysAuthorization()
App’s
Info.plist
iOS alert
code for auth request
“allows the app to receive location updates
both when the app is in the foreground and in
the background (suspended or terminated)”
NSLocationAlwaysUsageDescription:

10. …bad for users!
GEO CAN ‘LEAK’ IF THE APPLICATION IS BUGGY
“the government”
hackers
“spies could be lurking to snatch data
revealing the [app] player’s location”
-nytimes.com
thieves
criminals

11. …so what!?
THEY KNOW YOUR LOCATION
“investigators said the suspects used social networking
sites such as Facebook to identify victims who posted
online that they would not be home at a certain time”
-thieves robbed homes based on facebook [3]
“a [geo]location allows perpetrators the perfect window to
commit a burglary, vandalism, or even a home invasion”
-criminal use of social media [2]
“[geolocation] generates a precise, comprehensive record
of a person’s public movements that reflects a wealth of
detail about her familial, political, professional, religious,
and sexual associations”
-u.s. v. jones [1]
1) http://scholarship.kentlaw.iit.edu/cgi/viewcontent.cgi?article=3332&context=fac_schol
2) http://www.nw3c.org/docs/whitepapers/criminal-use-of-social-media.pdf
3) http://www.wmur.com/Police-Thieves-Robbed-Homes-Based-On-Facebook-Social-Media-Sites/11861116

12. can compromise a user’s physical location
COMMON CLASSES OF GEO BUGZ
insecure network
comms
insecure local
storage
location spoofing
buggy server-side APIs
overly precise location
UI errors/validation

13. may allow passive attackers access to geo
INSECURE NETWORK COMMS
insecure network
comms
use unencrypted comms
allow self-signed certificates
forget to pin certificates
do not do these things!

14. find such bugs with a proxy
INSECURE NETWORK COMMS
https://
https://
http://
proxy (burp) config
device config

15. does the app accept self-signed certificates?
INSECURE NETWORK COMMS
MOVT
R8,
#(:upper16:(classRef_NSURLRequest
-­‐
0xC254))
ADD
R8,
PC
;
classRef_NSURLRequest
MOV
R2,
#(selRef_setAllowsAnyHTTPSCertificate_forHost_
-­‐
0xC2A4)
ADD
R2,
PC
LDR
R4,
[R2]
;"setAllowsAnyHTTPSCertificate:forHost:"
LDR
R5,
[R8]
;_OBJC_CLASS_$_NSURLRequest
MOV
R0,
R5
;_OBJC_CLASS_$_NSURLRequest
MOV
R1,
R4
;"setAllowsAnyHTTPSCertificate:forHost:"
MOVS
R2,
#1
;’YES’
MOV
R3,
R8
;
the
host
BLX
_objc_msgSend
class
method
allowing a self-signed certificate (iOS)
setAllowsAnyHTTPSCertificate:forHost:
invoke method

16. did the app forget to pin certificates?
INSECURE NETWORK COMMS
non-jailbroken device
+
hacker’s cert
can
MitM
the
connection
“SSL pinning is a extra layer of security that
ensures a client will only communicate with
a well-defined set of servers”

17. stolen or lost phones may compromise user’s geo
INSECURE LOCAL STORAGE
insecure local
storage
store in unencrypted files
again, bad!
}
plists logfilesdatabases

18. find such bugs with filemon & fileDP
INSECURE LOCAL STORAGE
//dump
file
attributes
NSLog(@"attrs: %@", [[[NSFileManager defaultManager] attributesOfItemAtPath:path error:nil]
objectForKey:NSFileProtectionKey]);
display file’s protection attributes (iOS)
#
./filemon
Wheres_Waldo
Created
/Application
Support/analytics/location.db-­‐journal
DEV:
1,3
INODE:
121171
MODE:
81a4
UID:
501
GID:
501
Arg64:
300649589561
Wheres_Waldo
Renamed
/Preferences/lastKnownLocation.plist.l0mitdo
DEV:
1,3
INODE:
121172
MODE:
8180
UID:
501
GID:
501
monitoring app’s file I/O

19. on iOS, always check the user’s default plist
INSECURE LOCAL STORAGE
MOV
R1,
#(selRef_standardUserDefaults-­‐0x5917A)
ADD
R1,
PC
LDR
R1,
[R1]
;"standardUserDefaults"
MOV
R0,
#(classRef_NSUserDefaults-­‐0x591A2)
ADD
R0,
PC
LDR
R0,
[R0]
;_OBJC_CLASS_$_NSUserDefaults
BLX
_objc_msgSend
;[NSUserDefaults
standardUserDefaults]
MOV
R3,
#(cfstr_geoInfo-­‐0x591D6)
ADD
R3,
PC
;"geoInfo"
LDR
R2,
[SP,#0xB4+usersGeo]
;geo
data
MOV
R1,
#(selRef_setObject_forKey_-­‐0x591D6)
ADD
R1,
PC
LDR
R1,
[R1]
;"setObject:forKey:"
BLX
_objc_msgSend
;[userDefaults
setObject:
forKey:]
app’s
/Library/Preferences/
with NSFileProtectionNone
App’s IDA disassembly
App’s ‘User Defaults’ plist
<dict>
<key>geoInfo</key>
<dict>
<key>homeLong</key>
<real>73.242539</real>
<key>homeLat</key>
<real>34.169308</real>
...
</dict>
</dict>

20. don’t trust geolocation from the client
LOCATION SPOOFING
location spoofing
be careful if you do this!
explicitly trust client-side geo
allow client’s (device’s)
location to rapidly change
}
user auth
access to
‘relative’ data

21. find such bugs by manipulating reported geo
LOCATION SPOOFING
edit to spoof geo!
editing network dataz
cycript (runtime manipulations)
location spoofing apps (from Cydia)
or

22. do apps really need precision to 12 decimal places?!
OVER PRECISE LOCATION
over precise
location
treat with care!
collect geolocation as precise
as possible
long: 73.242539906632…
~1km ~1m ~1mm
don’t specify a ‘desired accuracy’
(iOS defaults to highest)

23. sniffing (network or file I/O) or look at disassembly
OVER PRECISE LOCATION
//create
instance
of
location
manager
let
locationManager
=
CLLocationManager()
//set
‘desired
accuracy’
locationManager.desiredAccuracy
=
kCLLocationAccuracyBest;
MOV
R4,
#(_kCLLocationAccuracyBest_ptr
-­‐
0xACD8)
ADD
R4,
PC,
R4
;
_kCLLocationAccuracyBest_ptr
LDR
R4,
[R4]
;
_kCLLocationAccuracyBest
VLDR
D16,
[R4]
VMOV
R2,
R3,
D16
;
R2
contains
_kCLLocationAccuracyBest
LDR
R1,
[SP,#0xF8+selRef_setDesiredAccuracy]
LDR
R1,
[R1]
;
R1
contains
selRef_setDesiredAccuracy
;R0
has
locationManager
object
LDR
R9,
[SP,#0xF8+objc_msgSend]
;
__imp__objc_msgSend
;
objc_msgSend(locationManager,
“setDesiredAccuracy”,
_kCLLocationAccuracyBest);
BLX
R9
IDA disassembly
setting ‘desired accuracy'

24. unprotected APIs may provide geo
INSECURE SERVER-SIDE APIS
insecure server-side
APIs
assume undocumented APIs are hidden
allow unlimited (un-throttled) queries
provide unrestricted geo
all bad assumptions/ideas!
allow unauthorized queries

25. sniffing network traffic often reveals undocumented API
INSECURE SERVER-SIDE APIS
holy $#!@, did we just find Carmen Sandiego!? ;)
intercepted outgoing request modified request
changed user

26. what lurks below?
USER-INTERFACE
user interface
assume the UI is ‘secure’
implement client-side
protection (in the UI)
all bad assumptions/ideas!
ignore user settings

27. don’t enforce anything at the UI level
USER INTERFACE
OR
}
ui settings ignored!
ui level logic
(e.g. precision rounding)
client location still
sent to server
precise geolocation (of other users)
sent to device

28. buggy apps that compromised a user’s physical location
EXAMPLE OF GEO BUGS
starbucks whisper
angry birds
grindr
tinder
case-study

29. overpriced coffee, plus a shot of geo tracking
STARBUCKS
[CVE-2014-0647] Insecure Data Storage of User Data in
Starbucks v2.6.1 iOS mobile application (Daniel Wood)
/Library/Caches/com.crashlytics.data/
com.starbucks.mystarbucks/session.clslog
“[unencrypted] geolocation data included alongside
username and password data, meaning that hackers can
potentially see where a user most often traveled if they
were to access the phone”

30. “the safest place on the internet” - NOPE
WHISPER
users monitored/tracked
(even if opt’d out)
geo stored ‘indefinitely’
shared with the DOD
“”Revealed: how Whisper app tracks ‘anonymous’ users”
-the guardian

31. precise geo of nearby users, allowed tracking
TINDER
tinder user trilateration
(blog.includesecurity.com)
main_photo_url =
photos[0]['url']
matches
‘tinderizer’
facebook profiles

32. …‘they’ are watching you play
ANGRY BIRDS
“the ABC have been developing capabilities to
take advantage of "leaky" smartphone apps,
such as the wildly popular Angry Birds game,
that transmit users' private information [geo]”
-the guardian

33. Case Study - Grindr
many, many #$&@ up’s

34. (all-male) social-dating app
WHAT’S GRINDR?
“the largest and most popular all-male location-based
social network out there. more than 5 million guys in 192
countries around the world -- and approximately 10,000
more new users downloading the app every day”
-grindr.com
all about
geo
extremely
popular
targeted
group

35. Those who cannot learn from history are doomed to repeat it
GRINDR’S PREVIOUS ISSUES
“Love online: 100,000 Grindr users
exposed in hack attack”
-sydney morning herald
Grindr Application Security
Evaluation Report
-university of amsterdam
“Grindr fails to protect user's”
-anonymous (pastebin)
Grindr Application Analysis
-synack

36. “0 Feet Away”
GRINDR (CASE STUDY)
lack of SSL pinning
overly precise geo
location spoofing
overly permissible APIs
broken ui level logic
sharing geo
client side precision
yes, so much wrong!

37. the app does not pin its certs
BUG 0X1: LACK OF SSL PINNING
login info
user geolocation

38. the app reported (overly) precise relative distances
BUG 0X2: REPORTING OF PRECISE GEO
primus.grindr.com
POST /2.0/nearbyProfiles
{"status":
1,
"distance":
3.861290174942267,
"relationshipStatus":
1,
"displayName":
"Waldo",
"isFavorite":
false,
"showDistance":
true,
"height":
187.960006713867,"profileId":
12345678,
…}
response
3.861290174942267
km away

39. even newer versions may reveal precise location
BUG 0X2: REPORTING OF PRECISE GEO
//create
instance
of
location
manager
let
locationManager
=
CLLocationManager()
//set
‘desired
accuracy’
locationManager.desiredAccuracy
=
kCLLocationAccuracyNearestTenMeters;
10 meter
location reporting
office

40. can spoof your location…as much as you want
BUG 0X3: LOCATION SPOOFING
geolocation coordinates for
locating ‘nearby’ users
change these at will!
trilateration?

41. unauthenticated, unlimited access to APIs
BUG 0X4: WIDE-OPEN APIS
{
"filter":{
"page":1,
"quantity":50
},
"lat":<any lat>,
"lon":<any lon>
}
primus.grindr.com
POST /2.0/nearbyProfiles
name height weight relative
distance
request for users’ info
user info

42. what you see/say isn’t what you get
BUG 0X5: ‘BROKEN’ UI LEVEL LOGIC
OR
}
if !showDistance
{
hide distance
}
+ settings
+ settings
UI level logic
srsly? wtf!

43. our goal was to help Grindr under the issues
DISCLAIMER
during vulnerability research and disclosure no individual
users were intentionally or unintentionally identified
all data logged has been irrecoverably destroyed.
The purpose of this research was not to identify Grindr
users but to help protect those that wish to remain private.

44. combining bugs can lead “total tracking”
IT'S MORPHIN' TIME
wide-open APIs
precise relative geo
location spoofing
+
+
=
tracking of any user
anywhere!

45. query the APIs to get info about all ‘nearby’ users
COLLECTION DATAZ
$
python
collectInfo.py
-­‐o
output.json
[+]
sent
request
to:
primus.grindr.com
POST
/2.0/nearbyProfiles
[+]
saving
response
(50
users)
$
less
output.json
"profiles":
[{
"profileId":
314159265,
"displayName":
"Waldo",
"aboutMe":
"Where
am
I?",
"distance":
0.4980983433684
},
...
request
response

46. determine absolute location from relative distances
TRILATERATION
“trilateration is the process of determining absolute
locations by measurement of (relative) distances, using
the geometry of circles, spheres or triangles.”
$
python
findUser.py
-­‐i
314159265
[+]
making
query
1,
2,
3
got
three
relative
distances
[+]
converting
geodetic
lat/long
to
ECEF
[+]
transforming
circle
1
at
origin,
circle
2
on
x
axis,
etc
[+]
generating
array
with
ECEF
x,y,z
[+]
converting
ECEF
back
to
lat/long
[+]
user
is
at:
73.242539906632,
34.169308121551
trilateration script

47. so lets map some users
USER LOCATION
San Francisco
Sochi (olympics)
stores
capitols

48. so lets track some willing users
USER TRACKING
your life; revealed

49. it’d be trivial to reveal anonymous user’s identities
IDENTIFYING USERS
picture
geo tracking
from profile name
home work
} revealed!

50. ...unfortunately this isn't just theoretical
IDENTIFYING USERS
"Anti-Gay North Dakota
Representative"
"Married Anti-Gay Pastor"

51. …didn’t care :/
REPORTING TO GRINDR
initial disclosure to vendor
followups included
conference calls, technical write-ups, & POCs
didn’t fix anything
“we do not view this as a security flaw”
-grindr.com/blog/grindr-security

52. …sadly it came to this to get (some) fixes
CAT GOT OUT OF THE BAG
“Egyptian officials have resorted to using location-
based dating app Grindr to arrest gay men"
“Grindr fails to protect their user’s” -
anonymous (pastebin)
people’s lives affected :(

53. fixes & current issues
GRINDR RESPONSE
}
user’s settings respected
geofencing (in Egypt, etc.)
geolocation
kCLLocationAccuracyNearestTenMeters
}
no SSL pinning open APIs spoofing
still can track
most users!
no rate limiting

54. Fixes/Conclusions
for users and devs alike

55. for users and app developers alike
BEST PRACTICES
assume you can be tracked
disallow tracking at the OS level
user
developer
secure comms
secure local storage
protected APIs
non-precise geo
correct UI logic
}
where’s waldo?!

56. QUESTIONS & ANSWERS
{colby,patrick}@synack.com
@colbymoore / @patrickwardle
…feel free to contact us any time!

57. credits
- thezooom.com
- deviantart.com (FreshFarhan)
- nicolevanputten.com
- http://agentfox.deviantart.com/art/chuck-Norris-hunting-waldo-42939561
- http://fc09.deviantart.net/fs70/f/2010/154/3/9/Waldo_by_MattMelvin.jpg
- http://th05.deviantart.net/fs71/PRE/i/2013/250/c/c/where_s_waldo_by_katanauser98-d6lgepy.png
- iconmonstr.com
- flaticon.com
images