@colbymoore

“sources a global contingent of
vetted security experts worldwide and pays them on an incentivized basis to discover security vulnerabilities in our customers’ web apps, mobile apps, and infrastructure endpoints.” ABOUT always looking for more experts! @colbymoore /VRL /SYNACK vetted researchers internal R&D backed by google

geolocation bugs, hacks, & fixes
AN OUTLINE all things geo case study fixes/conclusions } } code bugs lots of bugs tracking users

ALL THINGS GEO overview, code,
& bugs

incorporating geolocation is the norm
GEOLOCATION IN MOBILE APPS 74% of smart phone users get info based on their phone’s current location Use Geo No Geo social recommendations tracking health & fitness commerce navigation “84% inquire about location”

HOW IS GEOLOCATION ACCOMPLISHED (IOS)?
create delegate start “The CLLocationManager class is the central point for configuring the delivery of location-related events to your app.” apple.com wait/handle using the Core Location Manager

‘doing it’ in Swift GEOLOCATION
(IOS) //required framework import CoreLocation //conform to CLLocationManagerDelegate class ViewController: UIViewController, CLLocationManagerDelegate { //[1] CREATE (instance of) location manager let locationManager = CLLocationManager() //app delegate function override func viewDidLoad() { //[2] set DELEGATE self.locationManager.delegate = self; //request auth self.locationManager.requestWhenInUseAuthorization() //[3] START collecting location self.locationManager.startUpdatingLocation() } //[4] WAIT/HANDLE, delegate (callback) function func locationManager(manager: CLLocationManager!, didUpdateLocations locations: [AnyObject]!) { //do whateverz // -­‐>user’s location is in manager.location.coordinate.(longitude/latitude) } }

os-level alerts GEOLOCATION (I)OS LEVEL
PROTECTIONS NSLocationWhenInUseUsageDescription: //request auth for foreground self.locationManager.requestWhenInUseAuthorization() App’s Info.plist iOS alert code for auth request “allow the app to get location updates only when the app is in the foreground”

os-level alerts GEOLOCATION (I)OS LEVEL
PROTECTIONS //request auth for foreground self.locationManager.requestAlwaysAuthorization() App’s Info.plist iOS alert code for auth request “allows the app to receive location updates both when the app is in the foreground and in the background (suspended or terminated)” NSLocationAlwaysUsageDescription:

…bad for users! GEO CAN
‘LEAK’ IF THE APPLICATION IS BUGGY “the government” hackers “spies could be lurking to snatch data revealing the [app] player’s location” -nytimes.com thieves criminals

…so what!? THEY KNOW YOUR
LOCATION “investigators said the suspects used social networking sites such as Facebook to identify victims who posted online that they would not be home at a certain time” -thieves robbed homes based on facebook [3] “a [geo]location allows perpetrators the perfect window to commit a burglary, vandalism, or even a home invasion” -criminal use of social media [2] “[geolocation] generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations” -u.s. v. jones [1] 1) http://scholarship.kentlaw.iit.edu/cgi/viewcontent.cgi?article=3332&context=fac_schol 2) http://www.nw3c.org/docs/whitepapers/criminal-use-of-social-media.pdf 3) http://www.wmur.com/Police-Thieves-Robbed-Homes-Based-On-Facebook-Social-Media-Sites/11861116

can compromise a user’s physical
location COMMON CLASSES OF GEO BUGZ insecure network comms insecure local storage location spoofing buggy server-side APIs overly precise location UI errors/validation

may allow passive attackers access
to geo INSECURE NETWORK COMMS insecure network comms use unencrypted comms allow self-signed certificates forget to pin certificates do not do these things!

find such bugs with a
proxy INSECURE NETWORK COMMS https:// https:// http:// proxy (burp) config device config

does the app accept self-signed
certificates? INSECURE NETWORK COMMS MOVT R8, #(:upper16:(classRef_NSURLRequest -­‐ 0xC254)) ADD R8, PC ; classRef_NSURLRequest MOV R2, #(selRef_setAllowsAnyHTTPSCertificate_forHost_ -­‐ 0xC2A4) ADD R2, PC LDR R4, [R2] ;"setAllowsAnyHTTPSCertificate:forHost:" LDR R5, [R8] ;_OBJC_CLASS_$_NSURLRequest MOV R0, R5 ;_OBJC_CLASS_$_NSURLRequest MOV R1, R4 ;"setAllowsAnyHTTPSCertificate:forHost:" MOVS R2, #1 ;’YES’ MOV R3, R8 ; the host BLX _objc_msgSend class method allowing a self-signed certificate (iOS) setAllowsAnyHTTPSCertificate:forHost: invoke method

did the app forget to
pin certificates? INSECURE NETWORK COMMS non-jailbroken device + hacker’s cert can MitM the connection “SSL pinning is a extra layer of security that ensures a client will only communicate with a well-defined set of servers”

stolen or lost phones may
compromise user’s geo INSECURE LOCAL STORAGE insecure local storage store in unencrypted files again, bad! } plists logfilesdatabases

find such bugs with filemon
& fileDP INSECURE LOCAL STORAGE //dump file attributes NSLog(@"attrs: %@", [[[NSFileManager defaultManager] attributesOfItemAtPath:path error:nil] objectForKey:NSFileProtectionKey]); display file’s protection attributes (iOS) # ./filemon Wheres_Waldo Created /Application Support/analytics/location.db-­‐journal DEV: 1,3 INODE: 121171 MODE: 81a4 UID: 501 GID: 501 Arg64: 300649589561 Wheres_Waldo Renamed /Preferences/lastKnownLocation.plist.l0mitdo DEV: 1,3 INODE: 121172 MODE: 8180 UID: 501 GID: 501 monitoring app’s file I/O

on iOS, always check the
user’s default plist INSECURE LOCAL STORAGE MOV R1, #(selRef_standardUserDefaults-­‐0x5917A) ADD R1, PC LDR R1, [R1] ;"standardUserDefaults" MOV R0, #(classRef_NSUserDefaults-­‐0x591A2) ADD R0, PC LDR R0, [R0] ;_OBJC_CLASS_$_NSUserDefaults BLX _objc_msgSend ;[NSUserDefaults standardUserDefaults] MOV R3, #(cfstr_geoInfo-­‐0x591D6) ADD R3, PC ;"geoInfo" LDR R2, [SP,#0xB4+usersGeo] ;geo data MOV R1, #(selRef_setObject_forKey_-­‐0x591D6) ADD R1, PC LDR R1, [R1] ;"setObject:forKey:" BLX _objc_msgSend ;[userDefaults setObject: forKey:] app’s /Library/Preferences/ with NSFileProtectionNone App’s IDA disassembly App’s ‘User Defaults’ plist <dict> <key>geoInfo</key> <dict> <key>homeLong</key> <real>73.242539</real> <key>homeLat</key> <real>34.169308</real> ... </dict> </dict>

don’t trust geolocation from the
client LOCATION SPOOFING location spoofing be careful if you do this! explicitly trust client-side geo allow client’s (device’s) location to rapidly change } user auth access to ‘relative’ data

find such bugs by manipulating
reported geo LOCATION SPOOFING edit to spoof geo! editing network dataz cycript (runtime manipulations) location spoofing apps (from Cydia) or

do apps really need precision
to 12 decimal places?! OVER PRECISE LOCATION over precise location treat with care! collect geolocation as precise as possible long: 73.242539906632… ~1km ~1m ~1mm don’t specify a ‘desired accuracy’ (iOS defaults to highest)

sniffing (network or file I/O)
or look at disassembly OVER PRECISE LOCATION //create instance of location manager let locationManager = CLLocationManager() //set ‘desired accuracy’ locationManager.desiredAccuracy = kCLLocationAccuracyBest; MOV R4, #(_kCLLocationAccuracyBest_ptr -­‐ 0xACD8) ADD R4, PC, R4 ; _kCLLocationAccuracyBest_ptr LDR R4, [R4] ; _kCLLocationAccuracyBest VLDR D16, [R4] VMOV R2, R3, D16 ; R2 contains _kCLLocationAccuracyBest LDR R1, [SP,#0xF8+selRef_setDesiredAccuracy] LDR R1, [R1] ; R1 contains selRef_setDesiredAccuracy ;R0 has locationManager object LDR R9, [SP,#0xF8+objc_msgSend] ; __imp__objc_msgSend ; objc_msgSend(locationManager, “setDesiredAccuracy”, _kCLLocationAccuracyBest); BLX R9 IDA disassembly setting ‘desired accuracy'

unprotected APIs may provide geo
INSECURE SERVER-SIDE APIS insecure server-side APIs assume undocumented APIs are hidden allow unlimited (un-throttled) queries provide unrestricted geo all bad assumptions/ideas! allow unauthorized queries

sniffing network traffic often reveals
undocumented API INSECURE SERVER-SIDE APIS holy $#!@, did we just find Carmen Sandiego!? ;) intercepted outgoing request modified request changed user

what lurks below? USER-INTERFACE user
interface assume the UI is ‘secure’ implement client-side protection (in the UI) all bad assumptions/ideas! ignore user settings

don’t enforce anything at the
UI level USER INTERFACE OR } ui settings ignored! ui level logic (e.g. precision rounding) client location still sent to server precise geolocation (of other users) sent to device

buggy apps that compromised a
user’s physical location EXAMPLE OF GEO BUGS starbucks whisper angry birds grindr tinder case-study

overpriced coffee, plus a shot
of geo tracking STARBUCKS [CVE-2014-0647] Insecure Data Storage of User Data in Starbucks v2.6.1 iOS mobile application (Daniel Wood) /Library/Caches/com.crashlytics.data/ com.starbucks.mystarbucks/session.clslog “[unencrypted] geolocation data included alongside username and password data, meaning that hackers can potentially see where a user most often traveled if they were to access the phone”

“the safest place on the
internet” - NOPE WHISPER users monitored/tracked (even if opt’d out) geo stored ‘indefinitely’ shared with the DOD “”Revealed: how Whisper app tracks ‘anonymous’ users” -the guardian

precise geo of nearby users,
allowed tracking TINDER tinder user trilateration (blog.includesecurity.com) main_photo_url = photos[0]['url'] matches ‘tinderizer’ facebook profiles

…‘they’ are watching you play
ANGRY BIRDS “the ABC have been developing capabilities to take advantage of "leaky" smartphone apps, such as the wildly popular Angry Birds game, that transmit users' private information [geo]” -the guardian

Case Study - Grindr many,
many #$&@ up’s

(all-male) social-dating app WHAT’S GRINDR?
“the largest and most popular all-male location-based social network out there. more than 5 million guys in 192 countries around the world -- and approximately 10,000 more new users downloading the app every day” -grindr.com all about geo extremely popular targeted group

Those who cannot learn from
history are doomed to repeat it GRINDR’S PREVIOUS ISSUES 2012: “Love online: 100,000 Grindr users exposed in hack attack” -sydney morning herald 2013: Grindr Application Security Evaluation Report -university of amsterdam 2014: “Grindr fails to protect user's” -anonymous (pastebin) 2014: Grindr Application Analysis -synack

“0 Feet Away” GRINDR (CASE
STUDY) lack of SSL pinning overly precise geo location spoofing overly permissible APIs broken ui level logic sharing geo client side precision yes, so much wrong!

the app does not pin
its certs BUG 0X1: LACK OF SSL PINNING login info user geolocation

the app reported (overly) precise
relative distances BUG 0X2: REPORTING OF PRECISE GEO primus.grindr.com POST /2.0/nearbyProfiles {"status": 1, "distance": 3.861290174942267, "relationshipStatus": 1, "displayName": "Waldo", "isFavorite": false, "showDistance": true, "height": 187.960006713867,"profileId": 12345678, …} response 3.861290174942267 km away

even newer versions may reveal
precise location BUG 0X2: REPORTING OF PRECISE GEO //create instance of location manager let locationManager = CLLocationManager() //set ‘desired accuracy’ locationManager.desiredAccuracy = kCLLocationAccuracyNearestTenMeters; 10 meter location reporting office

can spoof your location…as much
as you want BUG 0X3: LOCATION SPOOFING geolocation coordinates for locating ‘nearby’ users change these at will! trilateration?

unauthenticated, unlimited access to APIs
BUG 0X4: WIDE-OPEN APIS { "filter":{ "page":1, "quantity":50 }, "lat":<any lat>, "lon":<any lon> } primus.grindr.com POST /2.0/nearbyProfiles name height weight relative distance request for users’ info user info

what you see/say isn’t what
you get BUG 0X5: ‘BROKEN’ UI LEVEL LOGIC OR } if !showDistance { hide distance } + settings + settings UI level logic srsly? wtf!

our goal was to help
Grindr under the issues DISCLAIMER during vulnerability research and disclosure no individual users were intentionally or unintentionally identified all data logged has been irrecoverably destroyed. The purpose of this research was not to identify Grindr users but to help protect those that wish to remain private.

combining bugs can lead “total
tracking” IT'S MORPHIN' TIME wide-open APIs precise relative geo location spoofing + + = tracking of any user anywhere!

query the APIs to get
info about all ‘nearby’ users COLLECTION DATAZ $ python collectInfo.py -­‐o output.json [+] sent request to: primus.grindr.com POST /2.0/nearbyProfiles [+] saving response (50 users) $ less output.json "profiles": [{ "profileId": 314159265, "displayName": "Waldo", "aboutMe": "Where am I?", "distance": 0.4980983433684 }, ... request response

determine absolute location from relative
distances TRILATERATION “trilateration is the process of determining absolute locations by measurement of (relative) distances, using the geometry of circles, spheres or triangles.” $ python findUser.py -­‐i 314159265 [+] making query 1, 2, 3 got three relative distances [+] converting geodetic lat/long to ECEF [+] transforming circle 1 at origin, circle 2 on x axis, etc [+] generating array with ECEF x,y,z [+] converting ECEF back to lat/long [+] user is at: 73.242539906632, 34.169308121551 trilateration script

so lets map some users
USER LOCATION San Francisco Sochi (olympics) stores capitols

so lets track some willing
users USER TRACKING your life; revealed

it’d be trivial to reveal
anonymous user’s identities IDENTIFYING USERS picture geo tracking from profile name home work } revealed!

…didn’t care :/ REPORTING TO
GRINDR early 2014 - initial disclosure to vendor followups included conference calls, technical write-ups, & POCs didn’t fix anything “we do not view this as a security flaw” -grindr.com/blog/grindr-security

…sadly it came to this
to get (some) fixes CAT GOT OUT OF THE BAG “Egyptian officials have resorted to using location- based dating app Grindr to arrest gay men" “Grindr fails to protect their user’s” - anonymous (pastebin) people’s lives affected :(

fixes & current issues GRINDR
RESPONSE } user’s settings respected geofencing (in Egypt, etc.) geolocation kCLLocationAccuracyNearestTenMeters } no SSL pinning open APIs spoofing still can track most users! no rate limiting

Fixes/Conclusions for users and devs
alike

for users and app developers
alike BEST PRACTICES assume you can be tracked disallow tracking at the OS level user developer secure comms secure local storage protected APIs non-precise geo correct UI logic } where’s waldo?!

QUESTIONS & ANSWERS colby@synack.com @colbymoore
syn.ac/appSecCaGeo …feel free to contact us any time!

credits - thezooom.com - deviantart.com
(FreshFarhan) - nicolevanputten.com - http://agentfox.deviantart.com/art/chuck-Norris-hunting-waldo-42939561 - http://fc09.deviantart.net/fs70/f/2010/154/3/9/Waldo_by_MattMelvin.jpg - http://th05.deviantart.net/fs71/PRE/i/2013/250/c/c/where_s_waldo_by_katanauser98-d6lgepy.png - iconmonstr.com - flaticon.com images