Successfully reported this slideshow.

Synack at AppSec California 2015 - Geolocation Vulnerabilities



Loading in …3
1 of 56
1 of 56

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Synack at AppSec California 2015 - Geolocation Vulnerabilities

  1. @colbymoore
  2. “sources a global contingent of vetted security experts worldwide and pays them on an incentivized basis to discover security vulnerabilities in our customers’ web apps, mobile apps, and infrastructure endpoints.” ABOUT always looking for more experts! @colbymoore /VRL  /SYNACK vetted researchers internal R&D backed by google
  3. geolocation bugs, hacks, & fixes AN OUTLINE all things geo case study fixes/conclusions } } code bugs lots of bugs tracking users
  4. ALL THINGS GEO overview, code, & bugs
  5. incorporating geolocation is the norm GEOLOCATION IN MOBILE APPS 74% of smart phone users get info based on their phone’s current location Use Geo No Geo social recommendations tracking health & fitness commerce navigation “84%  inquire  about  location”
  6. HOW IS GEOLOCATION ACCOMPLISHED (IOS)? create delegate start “The CLLocationManager class is the central point for configuring the delivery of location-related events to your app.” wait/handle using the Core Location Manager
  7. ‘doing it’ in Swift GEOLOCATION (IOS) //required  framework       import  CoreLocation   //conform  to  CLLocationManagerDelegate   class  ViewController:  UIViewController,  CLLocationManagerDelegate  {        //[1]  CREATE  (instance  of)  location  manager        let  locationManager  =  CLLocationManager()    //app  delegate  function        override  func  viewDidLoad()  {            //[2]  set  DELEGATE            self.locationManager.delegate  =  self;                              //request  auth            self.locationManager.requestWhenInUseAuthorization()                            //[3]  START  collecting  location          self.locationManager.startUpdatingLocation()
      }        //[4]  WAIT/HANDLE,  delegate  (callback)  function        func  locationManager(manager:  CLLocationManager!,  didUpdateLocations  locations:  [AnyObject]!)  {
            //do  whateverz
            //  -­‐>user’s  location  is  in  manager.location.coordinate.(longitude/latitude)        }   }  
  8. os-level alerts GEOLOCATION (I)OS LEVEL PROTECTIONS NSLocationWhenInUseUsageDescription: //request  auth  for  foreground   self.locationManager.requestWhenInUseAuthorization() App’s  Info.plist iOS alert code for auth request “allow the app to get location updates only when the app is in the foreground”
  9. os-level alerts GEOLOCATION (I)OS LEVEL PROTECTIONS //request  auth  for  foreground   self.locationManager.requestAlwaysAuthorization() App’s  Info.plist iOS alert code for auth request “allows the app to receive location updates both when the app is in the foreground and in the background (suspended or terminated)” NSLocationAlwaysUsageDescription:
  10. …bad for users! GEO CAN ‘LEAK’ IF THE APPLICATION IS BUGGY “the government” hackers “spies could be lurking to snatch data revealing the [app] player’s location” thieves criminals
  11. …so what!? THEY KNOW YOUR LOCATION “investigators said the suspects used social networking sites such as Facebook to identify victims who posted online that they would not be home at a certain time” 
 -thieves robbed homes based on facebook [3] “a [geo]location allows perpetrators the perfect window to commit a burglary, vandalism, or even a home invasion” 
 -criminal use of social media [2] “[geolocation] generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations” 
 -u.s. v. jones [1] 1)
  12. can compromise a user’s physical location COMMON CLASSES OF GEO BUGZ insecure network comms insecure local storage location spoofing buggy server-side APIs overly precise location UI errors/validation
  13. may allow passive attackers access to geo INSECURE NETWORK COMMS insecure network
 comms use unencrypted comms allow self-signed certificates forget to pin certificates do not do these things!
  14. find such bugs with a proxy INSECURE NETWORK COMMS https:// https:// http:// proxy (burp) config device config
  15. does the app accept self-signed certificates? INSECURE NETWORK COMMS MOVT  R8,  #(:upper16:(classRef_NSURLRequest  -­‐  0xC254))   ADD    R8,  PC  ;  classRef_NSURLRequest   MOV    R2,  #(selRef_setAllowsAnyHTTPSCertificate_forHost_  -­‐  0xC2A4)   ADD    R2,  PC   LDR    R4,  [R2]       ;"setAllowsAnyHTTPSCertificate:forHost:"         LDR    R5,  [R8]       ;_OBJC_CLASS_$_NSURLRequest         MOV    R0,  R5         ;_OBJC_CLASS_$_NSURLRequest               MOV    R1,  R4         ;"setAllowsAnyHTTPSCertificate:forHost:"               MOVS  R2,  #1         ;’YES’               MOV    R3,  R8         ;  the  host               BLX    _objc_msgSend   class method allowing a self-signed certificate (iOS) setAllowsAnyHTTPSCertificate:forHost: invoke method
  16. did the app forget to pin certificates? INSECURE NETWORK COMMS non-jailbroken device + hacker’s cert can  MitM  the  connection “SSL pinning is a extra layer of security that ensures a client will only communicate with a well-defined set of servers”
  17. stolen or lost phones may compromise user’s geo INSECURE LOCAL STORAGE insecure local storage store in unencrypted files again, bad! } plists logfilesdatabases
  18. find such bugs with filemon & fileDP INSECURE LOCAL STORAGE  //dump  file  attributes     NSLog(@"attrs: %@", [[[NSFileManager defaultManager] attributesOfItemAtPath:path error:nil] objectForKey:NSFileProtectionKey]); display file’s protection attributes (iOS) #  ./filemon   Wheres_Waldo  Created    /Application  Support/analytics/location.db-­‐journal   DEV:  1,3  INODE:  121171  MODE:  81a4  UID:  501  GID:  501  Arg64:  300649589561   Wheres_Waldo  Renamed  /Preferences/lastKnownLocation.plist.l0mitdo   DEV:  1,3  INODE:  121172  MODE:  8180  UID:  501  GID:  501 monitoring app’s file I/O
  19. on iOS, always check the user’s default plist INSECURE LOCAL STORAGE MOV  R1,  #(selRef_standardUserDefaults-­‐0x5917A)   ADD  R1,  PC   LDR  R1,  [R1]          ;"standardUserDefaults"   MOV  R0,  #(classRef_NSUserDefaults-­‐0x591A2)   ADD  R0,  PC     LDR  R0,  [R0]          ;_OBJC_CLASS_$_NSUserDefaults   BLX  _objc_msgSend  ;[NSUserDefaults  standardUserDefaults]   MOV  R3,  #(cfstr_geoInfo-­‐0x591D6)   ADD  R3,  PC                ;"geoInfo"   LDR  R2,  [SP,#0xB4+usersGeo]     ;geo  data   MOV  R1,  #(selRef_setObject_forKey_-­‐0x591D6)   ADD  R1,  PC   LDR  R1,  [R1]          ;"setObject:forKey:"   BLX  _objc_msgSend  ;[userDefaults  setObject:  forKey:] app’s  /Library/Preferences/ with NSFileProtectionNone App’s IDA disassembly App’s ‘User Defaults’ plist <dict>      <key>geoInfo</key>      <dict>
        <real>34.169308</real>          ...
    </dict>    </dict>
  20. don’t trust geolocation from the client LOCATION SPOOFING location spoofing be careful if you do this! explicitly trust client-side geo allow client’s (device’s) location to rapidly change } user auth access to ‘relative’ data
  21. find such bugs by manipulating reported geo LOCATION SPOOFING edit to spoof geo! editing network dataz cycript (runtime manipulations) location spoofing apps (from Cydia) or
  22. do apps really need precision to 12 decimal places?! OVER PRECISE LOCATION over precise location treat with care! collect geolocation as precise as possible long: 73.242539906632… ~1km ~1m ~1mm don’t specify a ‘desired accuracy’ (iOS defaults to highest)
  23. sniffing (network or file I/O) or look at disassembly OVER PRECISE LOCATION //create  instance  of  location  manager   let  locationManager  =  CLLocationManager()   //set  ‘desired  accuracy’   locationManager.desiredAccuracy  =  kCLLocationAccuracyBest;   MOV        R4,  #(_kCLLocationAccuracyBest_ptr  -­‐  0xACD8)     ADD        R4,  PC,  R4                                                                  ;  _kCLLocationAccuracyBest_ptr   LDR        R4,  [R4]                                                                      ;  _kCLLocationAccuracyBest   VLDR      D16,  [R4]   VMOV      R2,  R3,  D16                                                                ;  R2  contains  _kCLLocationAccuracyBest   LDR        R1,  [SP,#0xF8+selRef_setDesiredAccuracy]   LDR        R1,  [R1]                                                                    ;  R1  contains  selRef_setDesiredAccuracy               ;R0  has  locationManager  object       LDR        R9,  [SP,#0xF8+objc_msgSend]                                  ;  __imp__objc_msgSend   ;  objc_msgSend(locationManager,  “setDesiredAccuracy”,  _kCLLocationAccuracyBest);   BLX        R9                                       IDA disassembly setting ‘desired accuracy'
  24. unprotected APIs may provide geo INSECURE SERVER-SIDE APIS insecure server-side APIs assume undocumented APIs are hidden allow unlimited (un-throttled) queries provide unrestricted geo all bad assumptions/ideas! allow unauthorized queries
  25. sniffing network traffic often reveals undocumented API INSECURE SERVER-SIDE APIS holy $#!@, did we just find Carmen Sandiego!? ;) intercepted outgoing request modified request changed user
  26. what lurks below? USER-INTERFACE user interface assume the UI is ‘secure’ implement client-side protection (in the UI) all bad assumptions/ideas! ignore user settings
  27. don’t enforce anything at the UI level USER INTERFACE OR } ui settings ignored! ui level logic 
 (e.g. precision rounding) client location still sent to server precise geolocation (of other users) sent to device
  28. buggy apps that compromised a user’s physical location EXAMPLE OF GEO BUGS starbucks whisper angry birds grindr tinder case-study
  29. overpriced coffee, plus a shot of geo tracking STARBUCKS [CVE-2014-0647] Insecure Data Storage of User Data in Starbucks v2.6.1 iOS mobile application (Daniel Wood) /Library/Caches/ com.starbucks.mystarbucks/session.clslog “[unencrypted] geolocation data included alongside username and password data, meaning that hackers can potentially see where a user most often traveled if they were to access the phone”
  30. “the safest place on the internet” - NOPE WHISPER users monitored/tracked (even if opt’d out) geo stored ‘indefinitely’ shared with the DOD “”Revealed: how Whisper app tracks ‘anonymous’ users” -the guardian
  31. precise geo of nearby users, allowed tracking TINDER tinder user trilateration 
 ( main_photo_url = photos[0]['url'] matches ‘tinderizer’ facebook profiles
  32. …‘they’ are watching you play ANGRY BIRDS “the ABC have been developing capabilities to take advantage of "leaky" smartphone apps, such as the wildly popular Angry Birds game, that transmit users' private information [geo]” 
 -the guardian
  33. Case Study - Grindr many, many #$&@ up’s
  34. (all-male) social-dating app WHAT’S GRINDR? “the largest and most popular all-male location-based social network out there. more than 5 million guys in 192 countries around the world -- and approximately 10,000 more new users downloading the app every day” all about geo extremely popular targeted group
  35. Those who cannot learn from history are doomed to repeat it GRINDR’S PREVIOUS ISSUES 2012: “Love online: 100,000 Grindr users exposed in hack attack” 
 -sydney morning herald 2013: Grindr Application Security Evaluation Report 
 -university of amsterdam 2014: “Grindr fails to protect user's”
 -anonymous (pastebin) 2014: Grindr Application Analysis -synack
  36. “0 Feet Away” GRINDR (CASE STUDY) lack of SSL pinning overly precise geo location spoofing overly permissible APIs broken ui level logic sharing geo
 client side precision yes, so much wrong!
  37. the app does not pin its certs BUG 0X1: LACK OF SSL PINNING login info user geolocation
  38. the app reported (overly) precise relative distances BUG 0X2: REPORTING OF PRECISE GEO
 POST /2.0/nearbyProfiles {"status":  1,  "distance":  3.861290174942267,   "relationshipStatus":  1,  "displayName":  "Waldo",  
 "isFavorite":  false,  "showDistance":  true,  
 "height":  187.960006713867,"profileId":  12345678,  …}   response 3.861290174942267 
 km away
  39. even newer versions may reveal precise location BUG 0X2: REPORTING OF PRECISE GEO //create  instance  of  location  manager   let  locationManager  =  CLLocationManager()   //set  ‘desired  accuracy’   locationManager.desiredAccuracy  =                                                  kCLLocationAccuracyNearestTenMeters;   10 meter location reporting office
  40. can spoof your location…as much as you want BUG 0X3: LOCATION SPOOFING geolocation coordinates for locating ‘nearby’ users change these at will! trilateration?
  41. unauthenticated, unlimited access to APIs BUG 0X4: WIDE-OPEN APIS { "filter":{ "page":1, "quantity":50 }, "lat":<any lat>, "lon":<any lon> }
 POST /2.0/nearbyProfiles name height weight relative distance request for users’ info user info
  42. what you see/say isn’t what you get BUG 0X5: ‘BROKEN’ UI LEVEL LOGIC OR } if !showDistance { hide distance }
 + settings + settings UI level logic srsly? wtf!
  43. our goal was to help Grindr under the issues DISCLAIMER during vulnerability research and disclosure no individual users were intentionally or unintentionally identified all data logged has been irrecoverably destroyed. The purpose of this research was not to identify Grindr users but to help protect those that wish to remain private.
  44. combining bugs can lead “total tracking” IT'S MORPHIN' TIME wide-open APIs precise relative geo location spoofing + + = tracking of any user anywhere!
  45. query the APIs to get info about all ‘nearby’ users COLLECTION DATAZ $  python  -­‐o  output.json    [+]  sent  request  to:
          POST  /2.0/nearbyProfiles      [+]  saving  response  (50  users) $  less  output.json    "profiles":  [{                                  "profileId":  314159265,                                  "displayName":  "Waldo",                                  "aboutMe":  "Where  am  I?",                                  "distance":  0.4980983433684       },       ... request response
  46. determine absolute location from relative distances TRILATERATION “trilateration is the process of determining absolute locations by measurement of (relative) distances, using the geometry of circles, spheres or triangles.” $  python  -­‐i  314159265   [+]  making  query  1,  2,  3          got  three  relative  distances
 [+]  converting  geodetic  lat/long  to  ECEF
 [+]  transforming      circle  1  at  origin,  circle  2  on  x  axis,  etc   [+]  generating  array  with  ECEF  x,y,z     [+]  converting  ECEF  back  to  lat/long
 [+]  user  is  at:  73.242539906632,  34.169308121551 trilateration script
  47. so lets map some users USER LOCATION San Francisco Sochi (olympics) stores capitols
  48. so lets track some willing users USER TRACKING your life; revealed
  49. it’d be trivial to reveal anonymous user’s identities IDENTIFYING USERS picture geo tracking from profile name home work } revealed!
  50. …didn’t care :/ REPORTING TO GRINDR early 2014 - initial disclosure to vendor followups included conference calls, technical write-ups, & POCs didn’t fix anything “we do not view this as a security flaw”
  51. …sadly it came to this to get (some) fixes CAT GOT OUT OF THE BAG “Egyptian officials have resorted to using location- based dating app Grindr to arrest gay men" “Grindr fails to protect their user’s” - anonymous (pastebin) people’s lives affected :(
  52. fixes & current issues GRINDR RESPONSE } user’s settings respected geofencing (in Egypt, etc.) geolocation kCLLocationAccuracyNearestTenMeters } no SSL pinning open APIs spoofing still can track most users! no rate limiting
  53. Fixes/Conclusions for users and devs alike
  54. for users and app developers alike BEST PRACTICES assume you can be tracked disallow tracking at the OS level user developer secure comms secure local storage protected APIs non-precise geo correct UI logic } where’s waldo?!
  55. QUESTIONS & ANSWERS @colbymoore …feel free to contact us any time!
  56. credits - - (FreshFarhan) - - - - 
 - - images