SlideShare a Scribd company logo

Vetted Security Researchers Uncover Geolocation Vulnerabilities

Synack
Synack

This document discusses various ways that geolocation capabilities in mobile apps can leak users' private location data if not implemented securely. It provides examples of common geolocation bugs like insecure network communication, insecure local storage of location data, location spoofing, over-collection of precise location coordinates, and user interface errors. The document also demonstrates how these bugs can be discovered through network sniffing, file monitoring, runtime manipulation of location data, and disassembly analysis of app code.

Technology
1 of 56
Download to read offline
@patrickwardle@colbymoore
“sources a global contingent of vetted security experts worldwide and pays them on an incentivized basis to discover security vulnerabilities in our customers’ web apps, mobile apps, and infrastructure endpoints.” ABOUT (US) @patrick  wardle     /NASA  /NSA  /VRL  /SYNACK always looking for more experts! @colbymoore /VRL  /SYNACK vetted researchers internal R&D backed by google
geolocation bugs, hacks, & fixes AN OUTLINE all things geo case study fixes/conclusions } } code bugs lots of bugs tracking users
ALL THINGS GEO overview, code, & bugs
incorporating geolocation is the norm GEOLOCATION IN MOBILE APPS 74% of smart phone users get info based on their phone’s current location Use Geo No Geo social recommendations tracking health & fitness commerce navigation “84%  inquire  about  location”
HOW IS GEOLOCATION ACCOMPLISHED (IOS)? create delegate start “The CLLocationManager class is the central point for configuring the delivery of location-related events to your app.” apple.com wait/handle using the Core Location Manager
‘doing it’ in Swift GEOLOCATION (IOS) //required  framework       import  CoreLocation   //conform  to  CLLocationManagerDelegate   class  ViewController:  UIViewController,  CLLocationManagerDelegate  {        //[1]  CREATE  (instance  of)  location  manager        let  locationManager  =  CLLocationManager()    //app  delegate  function        override  func  viewDidLoad()  {            //[2]  set  DELEGATE            self.locationManager.delegate  =  self;                              //request  auth            self.locationManager.requestWhenInUseAuthorization()                            //[3]  START  collecting  location          self.locationManager.startUpdatingLocation()
      }        //[4]  WAIT/HANDLE,  delegate  (callback)  function        func  locationManager(manager:  CLLocationManager!,  didUpdateLocations  locations:  [AnyObject]!)  {
      
            //do  whateverz
            //  -­‐>user’s  location  is  in  manager.location.coordinate.(latitude/longitude)        }   }  
os-level alerts GEOLOCATION (I)OS LEVEL PROTECTIONS NSLocationWhenInUseUsageDescription: //request  auth  for  foreground   self.locationManager.requestWhenInUseAuthorization() App’s  Info.plist iOS alert code for auth request “allow the app to get location updates only when the app is in the foreground”
os-level alerts GEOLOCATION (I)OS LEVEL PROTECTIONS //request  auth  for  foreground   self.locationManager.requestAlwaysAuthorization() App’s  Info.plist iOS alert code for auth request “allows the app to receive location updates both when the app is in the foreground and in the background (suspended or terminated)” NSLocationAlwaysUsageDescription:
…bad for users! GEO CAN ‘LEAK’ IF THE APPLICATION IS BUGGY “the government” hackers “spies could be lurking to snatch data revealing the [app] player’s location” -nytimes.com thieves criminals
…so what!? THEY KNOW YOUR LOCATION “investigators said the suspects used social networking sites such as Facebook to identify victims who posted online that they would not be home at a certain time” 
 -thieves robbed homes based on facebook [3] “a [geo]location allows perpetrators the perfect window to commit a burglary, vandalism, or even a home invasion” 
 -criminal use of social media [2] “[geolocation] generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations” 
 -u.s. v. jones [1] 1) http://scholarship.kentlaw.iit.edu/cgi/viewcontent.cgi?article=3332&context=fac_schol
 2) http://www.nw3c.org/docs/whitepapers/criminal-use-of-social-media.pdf
 3) http://www.wmur.com/Police-Thieves-Robbed-Homes-Based-On-Facebook-Social-Media-Sites/11861116
can compromise a user’s physical location COMMON CLASSES OF GEO BUGZ insecure network comms insecure local storage location spoofing buggy server-side APIs overly precise location UI errors/validation
may allow passive attackers access to geo INSECURE NETWORK COMMS insecure network
 comms use unencrypted comms allow self-signed certificates forget to pin certificates do not do these things!
find such bugs with a proxy INSECURE NETWORK COMMS https:// https:// http:// proxy (burp) config device config
does the app accept self-signed certificates? INSECURE NETWORK COMMS MOVT  R8,  #(:upper16:(classRef_NSURLRequest  -­‐  0xC254))   ADD    R8,  PC  ;  classRef_NSURLRequest   MOV    R2,  #(selRef_setAllowsAnyHTTPSCertificate_forHost_  -­‐  0xC2A4)   ADD    R2,  PC   LDR    R4,  [R2]       ;"setAllowsAnyHTTPSCertificate:forHost:"         LDR    R5,  [R8]       ;_OBJC_CLASS_$_NSURLRequest         MOV    R0,  R5         ;_OBJC_CLASS_$_NSURLRequest               MOV    R1,  R4         ;"setAllowsAnyHTTPSCertificate:forHost:"               MOVS  R2,  #1         ;’YES’               MOV    R3,  R8         ;  the  host               BLX    _objc_msgSend   class method allowing a self-signed certificate (iOS) setAllowsAnyHTTPSCertificate:forHost: invoke method
did the app forget to pin certificates? INSECURE NETWORK COMMS non-jailbroken device + hacker’s cert can  MitM  the  connection “SSL pinning is a extra layer of security that ensures a client will only communicate with a well-defined set of servers”
stolen or lost phones may compromise user’s geo INSECURE LOCAL STORAGE insecure local storage store in unencrypted files again, bad! } plists logfilesdatabases
find such bugs with filemon & fileDP INSECURE LOCAL STORAGE  //dump  file  attributes     NSLog(@"attrs: %@", [[[NSFileManager defaultManager] attributesOfItemAtPath:path error:nil] objectForKey:NSFileProtectionKey]); display file’s protection attributes (iOS) #  ./filemon   Wheres_Waldo  Created    /Application  Support/analytics/location.db-­‐journal   DEV:  1,3  INODE:  121171  MODE:  81a4  UID:  501  GID:  501  Arg64:  300649589561   Wheres_Waldo  Renamed  /Preferences/lastKnownLocation.plist.l0mitdo   DEV:  1,3  INODE:  121172  MODE:  8180  UID:  501  GID:  501 monitoring app’s file I/O
on iOS, always check the user’s default plist INSECURE LOCAL STORAGE MOV  R1,  #(selRef_standardUserDefaults-­‐0x5917A)   ADD  R1,  PC   LDR  R1,  [R1]          ;"standardUserDefaults"   MOV  R0,  #(classRef_NSUserDefaults-­‐0x591A2)   ADD  R0,  PC     LDR  R0,  [R0]          ;_OBJC_CLASS_$_NSUserDefaults   BLX  _objc_msgSend  ;[NSUserDefaults  standardUserDefaults]   MOV  R3,  #(cfstr_geoInfo-­‐0x591D6)   ADD  R3,  PC                ;"geoInfo"   LDR  R2,  [SP,#0xB4+usersGeo]     ;geo  data   MOV  R1,  #(selRef_setObject_forKey_-­‐0x591D6)   ADD  R1,  PC   LDR  R1,  [R1]          ;"setObject:forKey:"   BLX  _objc_msgSend  ;[userDefaults  setObject:  forKey:] app’s  /Library/Preferences/ with NSFileProtectionNone App’s IDA disassembly App’s ‘User Defaults’ plist <dict>      <key>geoInfo</key>      <dict>
        <key>homeLong</key>
        <real>73.242539</real>
        <key>homeLat</key>
        <real>34.169308</real>          ...
    </dict>    </dict>
don’t trust geolocation from the client LOCATION SPOOFING location spoofing be careful if you do this! explicitly trust client-side geo allow client’s (device’s) location to rapidly change } user auth access to ‘relative’ data
find such bugs by manipulating reported geo LOCATION SPOOFING edit to spoof geo! editing network dataz cycript (runtime manipulations) location spoofing apps (from Cydia) or
do apps really need precision to 12 decimal places?! OVER PRECISE LOCATION over precise location treat with care! collect geolocation as precise as possible long: 73.242539906632… ~1km ~1m ~1mm don’t specify a ‘desired accuracy’ (iOS defaults to highest)
sniffing (network or file I/O) or look at disassembly OVER PRECISE LOCATION //create  instance  of  location  manager   let  locationManager  =  CLLocationManager()   //set  ‘desired  accuracy’   locationManager.desiredAccuracy  =  kCLLocationAccuracyBest;   MOV        R4,  #(_kCLLocationAccuracyBest_ptr  -­‐  0xACD8)     ADD        R4,  PC,  R4                                                                  ;  _kCLLocationAccuracyBest_ptr   LDR        R4,  [R4]                                                                      ;  _kCLLocationAccuracyBest   VLDR      D16,  [R4]   VMOV      R2,  R3,  D16                                                                ;  R2  contains  _kCLLocationAccuracyBest   LDR        R1,  [SP,#0xF8+selRef_setDesiredAccuracy]   LDR        R1,  [R1]                                                                    ;  R1  contains  selRef_setDesiredAccuracy               ;R0  has  locationManager  object       LDR        R9,  [SP,#0xF8+objc_msgSend]                                  ;  __imp__objc_msgSend   ;  objc_msgSend(locationManager,  “setDesiredAccuracy”,  _kCLLocationAccuracyBest);   BLX        R9                                       IDA disassembly setting ‘desired accuracy'
unprotected APIs may provide geo INSECURE SERVER-SIDE APIS insecure server-side APIs assume undocumented APIs are hidden allow unlimited (un-throttled) queries provide unrestricted geo all bad assumptions/ideas! allow unauthorized queries
sniffing network traffic often reveals undocumented API INSECURE SERVER-SIDE APIS holy $#!@, did we just find Carmen Sandiego!? ;) intercepted outgoing request modified request changed user
what lurks below? USER-INTERFACE user interface assume the UI is ‘secure’ implement client-side protection (in the UI) all bad assumptions/ideas! ignore user settings
don’t enforce anything at the UI level USER INTERFACE OR } ui settings ignored! ui level logic 
 (e.g. precision rounding) client location still sent to server precise geolocation (of other users) sent to device
buggy apps that compromised a user’s physical location EXAMPLE OF GEO BUGS starbucks whisper angry birds grindr tinder case-study
overpriced coffee, plus a shot of geo tracking STARBUCKS [CVE-2014-0647] Insecure Data Storage of User Data in Starbucks v2.6.1 iOS mobile application (Daniel Wood) /Library/Caches/com.crashlytics.data/ com.starbucks.mystarbucks/session.clslog “[unencrypted] geolocation data included alongside username and password data, meaning that hackers can potentially see where a user most often traveled if they were to access the phone”
“the safest place on the internet” - NOPE WHISPER users monitored/tracked (even if opt’d out) geo stored ‘indefinitely’ shared with the DOD “”Revealed: how Whisper app tracks ‘anonymous’ users” -the guardian
precise geo of nearby users, allowed tracking TINDER tinder user trilateration 
 (blog.includesecurity.com) main_photo_url = photos[0]['url'] matches ‘tinderizer’ facebook profiles
…‘they’ are watching you play ANGRY BIRDS “the ABC have been developing capabilities to take advantage of "leaky" smartphone apps, such as the wildly popular Angry Birds game, that transmit users' private information [geo]” 
 -the guardian
Case Study - Grindr many, many #$&@ up’s
(all-male) social-dating app WHAT’S GRINDR? “the largest and most popular all-male location-based social network out there. more than 5 million guys in 192 countries around the world -- and approximately 10,000 more new users downloading the app every day” 
 -grindr.com all about geo extremely popular targeted group
Those who cannot learn from history are doomed to repeat it GRINDR’S PREVIOUS ISSUES 2012: “Love online: 100,000 Grindr users exposed in hack attack” 
 -sydney morning herald 2013: Grindr Application Security Evaluation Report 
 -university of amsterdam 2014: “Grindr fails to protect user's”
 -anonymous (pastebin) 2014: Grindr Application Analysis -synack
“0 Feet Away” GRINDR (CASE STUDY) lack of SSL pinning overly precise geo location spoofing overly permissible APIs broken ui level logic sharing geo
 client side precision yes, so much wrong!
the app does not pin its certs BUG 0X1: LACK OF SSL PINNING login info user geolocation
the app reported (overly) precise relative distances BUG 0X2: REPORTING OF PRECISE GEO primus.grindr.com
 POST /2.0/nearbyProfiles {"status":  1,  "distance":  3.861290174942267,   "relationshipStatus":  1,  "displayName":  "Waldo",  
 "isFavorite":  false,  "showDistance":  true,  
 "height":  187.960006713867,"profileId":  12345678,  …}   response 3.861290174942267 
 km away
even newer versions may reveal precise location BUG 0X2: REPORTING OF PRECISE GEO //create  instance  of  location  manager   let  locationManager  =  CLLocationManager()   //set  ‘desired  accuracy’   locationManager.desiredAccuracy  =                                                  kCLLocationAccuracyNearestTenMeters;   10 meter location reporting office
can spoof your location…as much as you want BUG 0X3: LOCATION SPOOFING geolocation coordinates for locating ‘nearby’ users change these at will! trilateration?
unauthenticated, unlimited access to APIs BUG 0X4: WIDE-OPEN APIS { "filter":{ "page":1, "quantity":50 }, "lat":<any lat>, "lon":<any lon> } primus.grindr.com
 POST /2.0/nearbyProfiles name height weight relative distance request for users’ info user info
what you see/say isn’t what you get BUG 0X5: ‘BROKEN’ UI LEVEL LOGIC OR } if !showDistance { hide distance }
 + settings + settings UI level logic srsly? wtf!
our goal was to help Grindr under the issues DISCLAIMER during vulnerability research and disclosure no individual users were intentionally or unintentionally identified all data logged has been irrecoverably destroyed. The purpose of this research was not to identify Grindr users but to help protect those that wish to remain private.
combining bugs can lead “total tracking” IT'S MORPHIN' TIME wide-open APIs precise relative geo location spoofing + + = tracking of any user anywhere!
query the APIs to get info about all ‘nearby’ users COLLECTION DATAZ $  python  collectInfo.py  -­‐o  output.json    [+]  sent  request  to:  primus.grindr.com
          POST  /2.0/nearbyProfiles      [+]  saving  response  (50  users) $  less  output.json    "profiles":  [{                                  "profileId":  314159265,                                  "displayName":  "Waldo",                                  "aboutMe":  "Where  am  I?",                                  "distance":  0.4980983433684       },       ... request response
determine absolute location from relative distances TRILATERATION “trilateration is the process of determining absolute locations by measurement of (relative) distances, using the geometry of circles, spheres or triangles.” $  python  findUser.py  -­‐i  314159265   [+]  making  query  1,  2,  3          got  three  relative  distances
 [+]  converting  geodetic  lat/long  to  ECEF
 [+]  transforming      circle  1  at  origin,  circle  2  on  x  axis,  etc   [+]  generating  array  with  ECEF  x,y,z     [+]  converting  ECEF  back  to  lat/long
 [+]  user  is  at:  73.242539906632,  34.169308121551 trilateration script
so lets map some users USER LOCATION San Francisco Sochi (olympics) stores capitols
so lets track some willing users USER TRACKING your life; revealed
it’d be trivial to reveal anonymous user’s identities IDENTIFYING USERS picture geo tracking from profile name home work } revealed!
…didn’t care :/ REPORTING TO GRINDR early 2014 - initial disclosure to vendor followups included conference calls, technical write-ups, & POCs didn’t fix anything “we do not view this as a security flaw”
 -grindr.com/blog/grindr-security
…sadly it came to this to get (some) fixes CAT GOT OUT OF THE BAG “Egyptian officials have resorted to using location- based dating app Grindr to arrest gay men" “Grindr fails to protect their user’s” - anonymous (pastebin) people’s lives affected :(
fixes & current issues GRINDR RESPONSE } user’s settings respected geofencing (in Egypt, etc.) geolocation kCLLocationAccuracyNearestTenMeters } no SSL pinning open APIs spoofing still can track most users! no rate limiting
Fixes/Conclusions for users and devs alike
for users and app developers alike BEST PRACTICES assume you can be tracked disallow tracking at the OS level user developer secure comms secure local storage protected APIs non-precise geo correct UI logic } where’s waldo?!
QUESTIONS & ANSWERS {colby,patrick}@synack.com @colbymoore / @patrickwardle syn.ac/shmooConSlides …feel free to contact us any time! stop by our booth to win a MakerBot!
credits - thezooom.com - deviantart.com (FreshFarhan) - nicolevanputten.com - http://agentfox.deviantart.com/art/chuck-Norris-hunting-waldo-42939561 - http://fc09.deviantart.net/fs70/f/2010/154/3/9/Waldo_by_MattMelvin.jpg - http://th05.deviantart.net/fs71/PRE/i/2013/250/c/c/where_s_waldo_by_katanauser98-d6lgepy.png 
 - iconmonstr.com - flaticon.com images

Recommended

Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper ExposedSynack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 

Recommended

Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper ExposedSynack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!Synack
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS XSynack
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceIvan Einstein
 
DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke it
DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke itDEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke it
DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke itFelipe Prado
 
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesConf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesBrentMatlock
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
WebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLSTWebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLSTenpit GmbH & Co. KG
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaCODE BLUE
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
Getting Started with iBeacons (Designers of Things 2014)
Getting Started with iBeacons (Designers of Things 2014)Getting Started with iBeacons (Designers of Things 2014)
Getting Started with iBeacons (Designers of Things 2014)Daniel Luxemburg
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010wremes
 
How we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CIHow we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CIMarcio Klepacz
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Peter Souter
 
Ansible inside
Ansible insideAnsible inside
Ansible insideIdeato
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
[ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? [ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? Masamitsu Maehara
 
Angular js security
Angular js securityAngular js security
Angular js securityJose Manuel Ortega Candel
 
pJapanese director (hayao miyazaki)
pJapanese director (hayao miyazaki)pJapanese director (hayao miyazaki)
pJapanese director (hayao miyazaki)Xiao Yun
 
Fiber cement eps fiber cement structural insulated panels
Fiber cement eps fiber cement structural insulated panelsFiber cement eps fiber cement structural insulated panels
Fiber cement eps fiber cement structural insulated panelssips-structural-insulated-panels
 

More Related Content

What's hot

RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!Synack
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS XSynack
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceIvan Einstein
 
DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke it
DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke itDEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke it
DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke itFelipe Prado
 
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesConf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesBrentMatlock
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
WebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLSTWebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLSTenpit GmbH & Co. KG
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaCODE BLUE
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
Getting Started with iBeacons (Designers of Things 2014)
Getting Started with iBeacons (Designers of Things 2014)Getting Started with iBeacons (Designers of Things 2014)
Getting Started with iBeacons (Designers of Things 2014)Daniel Luxemburg
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010wremes
 
How we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CIHow we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CIMarcio Klepacz
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Peter Souter
 
Ansible inside
Ansible insideAnsible inside
Ansible insideIdeato
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
[ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? [ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? Masamitsu Maehara
 

What's hot (20)

RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS X
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware Persistence
 
DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke it
DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke itDEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke it
DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke it
 
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesConf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
 
WebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLSTWebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLST
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
 
Getting Started with iBeacons (Designers of Things 2014)
Getting Started with iBeacons (Designers of Things 2014)Getting Started with iBeacons (Designers of Things 2014)
Getting Started with iBeacons (Designers of Things 2014)
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010
 
How we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CIHow we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CI
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
 
Ansible inside
Ansible insideAnsible inside
Ansible inside
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
[ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? [ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world?
 
Angular js security
Angular js securityAngular js security
Angular js security
 

Viewers also liked

pJapanese director (hayao miyazaki)
pJapanese director (hayao miyazaki)pJapanese director (hayao miyazaki)
pJapanese director (hayao miyazaki)Xiao Yun
 
Storyboard
Storyboard Storyboard
Storyboard Xiao Yun
 
Leading in Local! Advance Auto Parts Discusses How To Win The Local Marketing...
Leading in Local! Advance Auto Parts Discusses How To Win The Local Marketing...Leading in Local! Advance Auto Parts Discusses How To Win The Local Marketing...
Leading in Local! Advance Auto Parts Discusses How To Win The Local Marketing...Placeable
 
Crack the Consumer Code
Crack the Consumer CodeCrack the Consumer Code
Crack the Consumer CodePlaceable
 
Giver (archetypes)
Giver (archetypes)Giver (archetypes)
Giver (archetypes)Xiao Yun
 
Zhang yi mou (lee sweet wan)
Zhang yi mou (lee sweet wan)Zhang yi mou (lee sweet wan)
Zhang yi mou (lee sweet wan)Xiao Yun
 
01. pengantar-adm-server-3
01. pengantar-adm-server-301. pengantar-adm-server-3
01. pengantar-adm-server-3Setiyo Budi
 
Information literacy scaffolds in the 9-12 classroom
Information literacy scaffolds in the 9-12 classroomInformation literacy scaffolds in the 9-12 classroom
Information literacy scaffolds in the 9-12 classroomfredandkell
 
Networkingtips 130213160947-phpapp02
Networkingtips 130213160947-phpapp02Networkingtips 130213160947-phpapp02
Networkingtips 130213160947-phpapp02Sonu Jena
 
Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115Xiao Yun
 
Qcl 14-v3 _Problem Solving_SIMSREE_Divya Adity Selvaraj Nadar
Qcl 14-v3 _Problem Solving_SIMSREE_Divya Adity Selvaraj NadarQcl 14-v3 _Problem Solving_SIMSREE_Divya Adity Selvaraj Nadar
Qcl 14-v3 _Problem Solving_SIMSREE_Divya Adity Selvaraj NadarDivya Nadar
 
Asset management report 2015
Asset management report 2015Asset management report 2015
Asset management report 2015Cyril BOUCHU
 

Viewers also liked (19)

pJapanese director (hayao miyazaki)
pJapanese director (hayao miyazaki)pJapanese director (hayao miyazaki)
pJapanese director (hayao miyazaki)
 
Fiber cement eps fiber cement structural insulated panels
Fiber cement eps fiber cement structural insulated panelsFiber cement eps fiber cement structural insulated panels
Fiber cement eps fiber cement structural insulated panels
 
Storyboard
Storyboard Storyboard
Storyboard
 
me
meme
me
 
Structural insulated panels price
Structural insulated panels priceStructural insulated panels price
Structural insulated panels price
 
Leading in Local! Advance Auto Parts Discusses How To Win The Local Marketing...
Leading in Local! Advance Auto Parts Discusses How To Win The Local Marketing...Leading in Local! Advance Auto Parts Discusses How To Win The Local Marketing...
Leading in Local! Advance Auto Parts Discusses How To Win The Local Marketing...
 
Mgo eps mgo structural insulated panels
Mgo eps mgo structural insulated panelsMgo eps mgo structural insulated panels
Mgo eps mgo structural insulated panels
 
Log
LogLog
Log
 
Crack the Consumer Code
Crack the Consumer CodeCrack the Consumer Code
Crack the Consumer Code
 
Giver (archetypes)
Giver (archetypes)Giver (archetypes)
Giver (archetypes)
 
Zhang yi mou (lee sweet wan)
Zhang yi mou (lee sweet wan)Zhang yi mou (lee sweet wan)
Zhang yi mou (lee sweet wan)
 
01. pengantar-adm-server-3
01. pengantar-adm-server-301. pengantar-adm-server-3
01. pengantar-adm-server-3
 
Information literacy scaffolds in the 9-12 classroom
Information literacy scaffolds in the 9-12 classroomInformation literacy scaffolds in the 9-12 classroom
Information literacy scaffolds in the 9-12 classroom
 
Networkingtips 130213160947-phpapp02
Networkingtips 130213160947-phpapp02Networkingtips 130213160947-phpapp02
Networkingtips 130213160947-phpapp02
 
Sips structural insulated panel pressing machine
Sips structural insulated panel pressing machineSips structural insulated panel pressing machine
Sips structural insulated panel pressing machine
 
Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115
 
Qcl 14-v3 _Problem Solving_SIMSREE_Divya Adity Selvaraj Nadar
Qcl 14-v3 _Problem Solving_SIMSREE_Divya Adity Selvaraj NadarQcl 14-v3 _Problem Solving_SIMSREE_Divya Adity Selvaraj Nadar
Qcl 14-v3 _Problem Solving_SIMSREE_Divya Adity Selvaraj Nadar
 
Asset management report 2015
Asset management report 2015Asset management report 2015
Asset management report 2015
 
TAPipedia User Tutorial
TAPipedia User TutorialTAPipedia User Tutorial
TAPipedia User Tutorial
 

Similar to Vetted Security Researchers Uncover Geolocation Vulnerabilities

Running Django on Docker: a workflow and code
Running Django on Docker: a workflow and codeRunning Django on Docker: a workflow and code
Running Django on Docker: a workflow and codeDanielle Madeley
 
How to use geolocation in react native apps
How to use geolocation in react native appsHow to use geolocation in react native apps
How to use geolocation in react native appsInnovationM
 
Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W...
Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W... Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W...
Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W...Robert Nyman
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
Real World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsReal World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsBen Hall
 
LUMIA APP LABS: HERE MAPS AND LOCATION APIS FOR WINDOWS PHONE
LUMIA APP LABS: HERE MAPS AND LOCATION APIS FOR WINDOWS PHONELUMIA APP LABS: HERE MAPS AND LOCATION APIS FOR WINDOWS PHONE
LUMIA APP LABS: HERE MAPS AND LOCATION APIS FOR WINDOWS PHONEMicrosoft Mobile Developer
 
Introduction to Apache Cordova (Phonegap)
Introduction to Apache Cordova (Phonegap)Introduction to Apache Cordova (Phonegap)
Introduction to Apache Cordova (Phonegap)ejlp12
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js MicroservicesIBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js MicroservicesChris Bailey
 
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
Node Interactive: Node.js Performance and Highly Scalable Micro-ServicesNode Interactive: Node.js Performance and Highly Scalable Micro-Services
Node Interactive: Node.js Performance and Highly Scalable Micro-ServicesChris Bailey
 
Maxim Salnikov - Service Worker: taking the best from the past experience for...
Maxim Salnikov - Service Worker: taking the best from the past experience for...Maxim Salnikov - Service Worker: taking the best from the past experience for...
Maxim Salnikov - Service Worker: taking the best from the past experience for...Codemotion
 
iOS Bluetooth Low Energy (BLE) Remote Robot Interface
iOS Bluetooth Low Energy (BLE) Remote Robot InterfaceiOS Bluetooth Low Energy (BLE) Remote Robot Interface
iOS Bluetooth Low Energy (BLE) Remote Robot InterfaceSteve Knodl
 
Introduction to Titanium and how to connect with a PHP backend
Introduction to Titanium and how to connect with a PHP backendIntroduction to Titanium and how to connect with a PHP backend
Introduction to Titanium and how to connect with a PHP backendJoseluis Laso
 
Kraken Front-Trends
Kraken Front-TrendsKraken Front-Trends
Kraken Front-TrendsPayPal
 
Advanced iOS Debbuging (Reloaded)
Advanced iOS Debbuging (Reloaded)Advanced iOS Debbuging (Reloaded)
Advanced iOS Debbuging (Reloaded)Massimo Oliviero
 
Average- An android project
Average- An android projectAverage- An android project
Average- An android projectIpsit Dash
 

Similar to Vetted Security Researchers Uncover Geolocation Vulnerabilities (20)

Running Django on Docker: a workflow and code
Running Django on Docker: a workflow and codeRunning Django on Docker: a workflow and code
Running Django on Docker: a workflow and code
 
How to use geolocation in react native apps
How to use geolocation in react native appsHow to use geolocation in react native apps
How to use geolocation in react native apps
 
Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W...
Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W... Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W...
Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W...
 
Docker In Bank Unrated
Docker In Bank UnratedDocker In Bank Unrated
Docker In Bank Unrated
 
Phone Gap
Phone GapPhone Gap
Phone Gap
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
Real World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsReal World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js Applications
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile apps
 
LUMIA APP LABS: HERE MAPS AND LOCATION APIS FOR WINDOWS PHONE
LUMIA APP LABS: HERE MAPS AND LOCATION APIS FOR WINDOWS PHONELUMIA APP LABS: HERE MAPS AND LOCATION APIS FOR WINDOWS PHONE
LUMIA APP LABS: HERE MAPS AND LOCATION APIS FOR WINDOWS PHONE
 
Introduction to Apache Cordova (Phonegap)
Introduction to Apache Cordova (Phonegap)Introduction to Apache Cordova (Phonegap)
Introduction to Apache Cordova (Phonegap)
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introduction
 
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js MicroservicesIBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
 
Zenly - Reverse geocoding
Zenly - Reverse geocodingZenly - Reverse geocoding
Zenly - Reverse geocoding
 
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
Node Interactive: Node.js Performance and Highly Scalable Micro-ServicesNode Interactive: Node.js Performance and Highly Scalable Micro-Services
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
 
Maxim Salnikov - Service Worker: taking the best from the past experience for...
Maxim Salnikov - Service Worker: taking the best from the past experience for...Maxim Salnikov - Service Worker: taking the best from the past experience for...
Maxim Salnikov - Service Worker: taking the best from the past experience for...
 
iOS Bluetooth Low Energy (BLE) Remote Robot Interface
iOS Bluetooth Low Energy (BLE) Remote Robot InterfaceiOS Bluetooth Low Energy (BLE) Remote Robot Interface
iOS Bluetooth Low Energy (BLE) Remote Robot Interface
 
Introduction to Titanium and how to connect with a PHP backend
Introduction to Titanium and how to connect with a PHP backendIntroduction to Titanium and how to connect with a PHP backend
Introduction to Titanium and how to connect with a PHP backend
 
Kraken Front-Trends
Kraken Front-TrendsKraken Front-Trends
Kraken Front-Trends
 
Advanced iOS Debbuging (Reloaded)
Advanced iOS Debbuging (Reloaded)Advanced iOS Debbuging (Reloaded)
Advanced iOS Debbuging (Reloaded)
 
Average- An android project
Average- An android projectAverage- An android project
Average- An android project
 

More from Synack

Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningSynack
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!Synack
 
Synack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack
 
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...Synack
 
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...Synack
 
Electromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and YouElectromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and YouSynack
 
Home Automation Benchmarking Report
Home Automation Benchmarking ReportHome Automation Benchmarking Report
Home Automation Benchmarking ReportSynack
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a HouseSynack
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack
 

More from Synack (9)

Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanning
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
 
Synack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack cirtical infrasructure webinar
Synack cirtical infrasructure webinar
 
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
 
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
 
Electromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and YouElectromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and You
 
Home Automation Benchmarking Report
Home Automation Benchmarking ReportHome Automation Benchmarking Report
Home Automation Benchmarking Report
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a House
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
 

Recently uploaded

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

Recently uploaded (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

Vetted Security Researchers Uncover Geolocation Vulnerabilities

  • 2. “sources a global contingent of vetted security experts worldwide and pays them on an incentivized basis to discover security vulnerabilities in our customers’ web apps, mobile apps, and infrastructure endpoints.” ABOUT (US) @patrick  wardle     /NASA  /NSA  /VRL  /SYNACK always looking for more experts! @colbymoore /VRL  /SYNACK vetted researchers internal R&D backed by google
  • 3. geolocation bugs, hacks, & fixes AN OUTLINE all things geo case study fixes/conclusions } } code bugs lots of bugs tracking users
  • 5. incorporating geolocation is the norm GEOLOCATION IN MOBILE APPS 74% of smart phone users get info based on their phone’s current location Use Geo No Geo social recommendations tracking health & fitness commerce navigation “84%  inquire  about  location”
  • 6. HOW IS GEOLOCATION ACCOMPLISHED (IOS)? create delegate start “The CLLocationManager class is the central point for configuring the delivery of location-related events to your app.” apple.com wait/handle using the Core Location Manager
  • 7. ‘doing it’ in Swift GEOLOCATION (IOS) //required  framework       import  CoreLocation   //conform  to  CLLocationManagerDelegate   class  ViewController:  UIViewController,  CLLocationManagerDelegate  {        //[1]  CREATE  (instance  of)  location  manager        let  locationManager  =  CLLocationManager()    //app  delegate  function        override  func  viewDidLoad()  {            //[2]  set  DELEGATE            self.locationManager.delegate  =  self;                              //request  auth            self.locationManager.requestWhenInUseAuthorization()                            //[3]  START  collecting  location          self.locationManager.startUpdatingLocation()
      }        //[4]  WAIT/HANDLE,  delegate  (callback)  function        func  locationManager(manager:  CLLocationManager!,  didUpdateLocations  locations:  [AnyObject]!)  {
      
            //do  whateverz
            //  -­‐>user’s  location  is  in  manager.location.coordinate.(latitude/longitude)        }   }  
  • 8. os-level alerts GEOLOCATION (I)OS LEVEL PROTECTIONS NSLocationWhenInUseUsageDescription: //request  auth  for  foreground   self.locationManager.requestWhenInUseAuthorization() App’s  Info.plist iOS alert code for auth request “allow the app to get location updates only when the app is in the foreground”
  • 9. os-level alerts GEOLOCATION (I)OS LEVEL PROTECTIONS //request  auth  for  foreground   self.locationManager.requestAlwaysAuthorization() App’s  Info.plist iOS alert code for auth request “allows the app to receive location updates both when the app is in the foreground and in the background (suspended or terminated)” NSLocationAlwaysUsageDescription:
  • 10. …bad for users! GEO CAN ‘LEAK’ IF THE APPLICATION IS BUGGY “the government” hackers “spies could be lurking to snatch data revealing the [app] player’s location” -nytimes.com thieves criminals
  • 11. …so what!? THEY KNOW YOUR LOCATION “investigators said the suspects used social networking sites such as Facebook to identify victims who posted online that they would not be home at a certain time” 
 -thieves robbed homes based on facebook [3] “a [geo]location allows perpetrators the perfect window to commit a burglary, vandalism, or even a home invasion” 
 -criminal use of social media [2] “[geolocation] generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations” 
 -u.s. v. jones [1] 1) http://scholarship.kentlaw.iit.edu/cgi/viewcontent.cgi?article=3332&context=fac_schol
 2) http://www.nw3c.org/docs/whitepapers/criminal-use-of-social-media.pdf
 3) http://www.wmur.com/Police-Thieves-Robbed-Homes-Based-On-Facebook-Social-Media-Sites/11861116
  • 12. can compromise a user’s physical location COMMON CLASSES OF GEO BUGZ insecure network comms insecure local storage location spoofing buggy server-side APIs overly precise location UI errors/validation
  • 13. may allow passive attackers access to geo INSECURE NETWORK COMMS insecure network
 comms use unencrypted comms allow self-signed certificates forget to pin certificates do not do these things!
  • 14. find such bugs with a proxy INSECURE NETWORK COMMS https:// https:// http:// proxy (burp) config device config
  • 15. does the app accept self-signed certificates? INSECURE NETWORK COMMS MOVT  R8,  #(:upper16:(classRef_NSURLRequest  -­‐  0xC254))   ADD    R8,  PC  ;  classRef_NSURLRequest   MOV    R2,  #(selRef_setAllowsAnyHTTPSCertificate_forHost_  -­‐  0xC2A4)   ADD    R2,  PC   LDR    R4,  [R2]       ;"setAllowsAnyHTTPSCertificate:forHost:"         LDR    R5,  [R8]       ;_OBJC_CLASS_$_NSURLRequest         MOV    R0,  R5         ;_OBJC_CLASS_$_NSURLRequest               MOV    R1,  R4         ;"setAllowsAnyHTTPSCertificate:forHost:"               MOVS  R2,  #1         ;’YES’               MOV    R3,  R8         ;  the  host               BLX    _objc_msgSend   class method allowing a self-signed certificate (iOS) setAllowsAnyHTTPSCertificate:forHost: invoke method
  • 16. did the app forget to pin certificates? INSECURE NETWORK COMMS non-jailbroken device + hacker’s cert can  MitM  the  connection “SSL pinning is a extra layer of security that ensures a client will only communicate with a well-defined set of servers”
  • 17. stolen or lost phones may compromise user’s geo INSECURE LOCAL STORAGE insecure local storage store in unencrypted files again, bad! } plists logfilesdatabases
  • 18. find such bugs with filemon & fileDP INSECURE LOCAL STORAGE  //dump  file  attributes     NSLog(@"attrs: %@", [[[NSFileManager defaultManager] attributesOfItemAtPath:path error:nil] objectForKey:NSFileProtectionKey]); display file’s protection attributes (iOS) #  ./filemon   Wheres_Waldo  Created    /Application  Support/analytics/location.db-­‐journal   DEV:  1,3  INODE:  121171  MODE:  81a4  UID:  501  GID:  501  Arg64:  300649589561   Wheres_Waldo  Renamed  /Preferences/lastKnownLocation.plist.l0mitdo   DEV:  1,3  INODE:  121172  MODE:  8180  UID:  501  GID:  501 monitoring app’s file I/O
  • 19. on iOS, always check the user’s default plist INSECURE LOCAL STORAGE MOV  R1,  #(selRef_standardUserDefaults-­‐0x5917A)   ADD  R1,  PC   LDR  R1,  [R1]          ;"standardUserDefaults"   MOV  R0,  #(classRef_NSUserDefaults-­‐0x591A2)   ADD  R0,  PC     LDR  R0,  [R0]          ;_OBJC_CLASS_$_NSUserDefaults   BLX  _objc_msgSend  ;[NSUserDefaults  standardUserDefaults]   MOV  R3,  #(cfstr_geoInfo-­‐0x591D6)   ADD  R3,  PC                ;"geoInfo"   LDR  R2,  [SP,#0xB4+usersGeo]     ;geo  data   MOV  R1,  #(selRef_setObject_forKey_-­‐0x591D6)   ADD  R1,  PC   LDR  R1,  [R1]          ;"setObject:forKey:"   BLX  _objc_msgSend  ;[userDefaults  setObject:  forKey:] app’s  /Library/Preferences/ with NSFileProtectionNone App’s IDA disassembly App’s ‘User Defaults’ plist <dict>      <key>geoInfo</key>      <dict>
        <key>homeLong</key>
        <real>73.242539</real>
        <key>homeLat</key>
        <real>34.169308</real>          ...
    </dict>    </dict>
  • 20. don’t trust geolocation from the client LOCATION SPOOFING location spoofing be careful if you do this! explicitly trust client-side geo allow client’s (device’s) location to rapidly change } user auth access to ‘relative’ data
  • 21. find such bugs by manipulating reported geo LOCATION SPOOFING edit to spoof geo! editing network dataz cycript (runtime manipulations) location spoofing apps (from Cydia) or
  • 22. do apps really need precision to 12 decimal places?! OVER PRECISE LOCATION over precise location treat with care! collect geolocation as precise as possible long: 73.242539906632… ~1km ~1m ~1mm don’t specify a ‘desired accuracy’ (iOS defaults to highest)
  • 23. sniffing (network or file I/O) or look at disassembly OVER PRECISE LOCATION //create  instance  of  location  manager   let  locationManager  =  CLLocationManager()   //set  ‘desired  accuracy’   locationManager.desiredAccuracy  =  kCLLocationAccuracyBest;   MOV        R4,  #(_kCLLocationAccuracyBest_ptr  -­‐  0xACD8)     ADD        R4,  PC,  R4                                                                  ;  _kCLLocationAccuracyBest_ptr   LDR        R4,  [R4]                                                                      ;  _kCLLocationAccuracyBest   VLDR      D16,  [R4]   VMOV      R2,  R3,  D16                                                                ;  R2  contains  _kCLLocationAccuracyBest   LDR        R1,  [SP,#0xF8+selRef_setDesiredAccuracy]   LDR        R1,  [R1]                                                                    ;  R1  contains  selRef_setDesiredAccuracy               ;R0  has  locationManager  object       LDR        R9,  [SP,#0xF8+objc_msgSend]                                  ;  __imp__objc_msgSend   ;  objc_msgSend(locationManager,  “setDesiredAccuracy”,  _kCLLocationAccuracyBest);   BLX        R9                                       IDA disassembly setting ‘desired accuracy'
  • 24. unprotected APIs may provide geo INSECURE SERVER-SIDE APIS insecure server-side APIs assume undocumented APIs are hidden allow unlimited (un-throttled) queries provide unrestricted geo all bad assumptions/ideas! allow unauthorized queries
  • 25. sniffing network traffic often reveals undocumented API INSECURE SERVER-SIDE APIS holy $#!@, did we just find Carmen Sandiego!? ;) intercepted outgoing request modified request changed user
  • 26. what lurks below? USER-INTERFACE user interface assume the UI is ‘secure’ implement client-side protection (in the UI) all bad assumptions/ideas! ignore user settings
  • 27. don’t enforce anything at the UI level USER INTERFACE OR } ui settings ignored! ui level logic 
 (e.g. precision rounding) client location still sent to server precise geolocation (of other users) sent to device
  • 28. buggy apps that compromised a user’s physical location EXAMPLE OF GEO BUGS starbucks whisper angry birds grindr tinder case-study
  • 29. overpriced coffee, plus a shot of geo tracking STARBUCKS [CVE-2014-0647] Insecure Data Storage of User Data in Starbucks v2.6.1 iOS mobile application (Daniel Wood) /Library/Caches/com.crashlytics.data/ com.starbucks.mystarbucks/session.clslog “[unencrypted] geolocation data included alongside username and password data, meaning that hackers can potentially see where a user most often traveled if they were to access the phone”
  • 30. “the safest place on the internet” - NOPE WHISPER users monitored/tracked (even if opt’d out) geo stored ‘indefinitely’ shared with the DOD “”Revealed: how Whisper app tracks ‘anonymous’ users” -the guardian
  • 31. precise geo of nearby users, allowed tracking TINDER tinder user trilateration 
 (blog.includesecurity.com) main_photo_url = photos[0]['url'] matches ‘tinderizer’ facebook profiles
  • 32. …‘they’ are watching you play ANGRY BIRDS “the ABC have been developing capabilities to take advantage of "leaky" smartphone apps, such as the wildly popular Angry Birds game, that transmit users' private information [geo]” 
 -the guardian
  • 33. Case Study - Grindr many, many #$&@ up’s
  • 34. (all-male) social-dating app WHAT’S GRINDR? “the largest and most popular all-male location-based social network out there. more than 5 million guys in 192 countries around the world -- and approximately 10,000 more new users downloading the app every day” 
 -grindr.com all about geo extremely popular targeted group
  • 35. Those who cannot learn from history are doomed to repeat it GRINDR’S PREVIOUS ISSUES 2012: “Love online: 100,000 Grindr users exposed in hack attack” 
 -sydney morning herald 2013: Grindr Application Security Evaluation Report 
 -university of amsterdam 2014: “Grindr fails to protect user's”
 -anonymous (pastebin) 2014: Grindr Application Analysis -synack
  • 36. “0 Feet Away” GRINDR (CASE STUDY) lack of SSL pinning overly precise geo location spoofing overly permissible APIs broken ui level logic sharing geo
 client side precision yes, so much wrong!
  • 37. the app does not pin its certs BUG 0X1: LACK OF SSL PINNING login info user geolocation
  • 38. the app reported (overly) precise relative distances BUG 0X2: REPORTING OF PRECISE GEO primus.grindr.com
 POST /2.0/nearbyProfiles {"status":  1,  "distance":  3.861290174942267,   "relationshipStatus":  1,  "displayName":  "Waldo",  
 "isFavorite":  false,  "showDistance":  true,  
 "height":  187.960006713867,"profileId":  12345678,  …}   response 3.861290174942267 
 km away
  • 39. even newer versions may reveal precise location BUG 0X2: REPORTING OF PRECISE GEO //create  instance  of  location  manager   let  locationManager  =  CLLocationManager()   //set  ‘desired  accuracy’   locationManager.desiredAccuracy  =                                                  kCLLocationAccuracyNearestTenMeters;   10 meter location reporting office
  • 40. can spoof your location…as much as you want BUG 0X3: LOCATION SPOOFING geolocation coordinates for locating ‘nearby’ users change these at will! trilateration?
  • 41. unauthenticated, unlimited access to APIs BUG 0X4: WIDE-OPEN APIS { "filter":{ "page":1, "quantity":50 }, "lat":<any lat>, "lon":<any lon> } primus.grindr.com
 POST /2.0/nearbyProfiles name height weight relative distance request for users’ info user info
  • 42. what you see/say isn’t what you get BUG 0X5: ‘BROKEN’ UI LEVEL LOGIC OR } if !showDistance { hide distance }
 + settings + settings UI level logic srsly? wtf!
  • 43. our goal was to help Grindr under the issues DISCLAIMER during vulnerability research and disclosure no individual users were intentionally or unintentionally identified all data logged has been irrecoverably destroyed. The purpose of this research was not to identify Grindr users but to help protect those that wish to remain private.
  • 44. combining bugs can lead “total tracking” IT'S MORPHIN' TIME wide-open APIs precise relative geo location spoofing + + = tracking of any user anywhere!
  • 45. query the APIs to get info about all ‘nearby’ users COLLECTION DATAZ $  python  collectInfo.py  -­‐o  output.json    [+]  sent  request  to:  primus.grindr.com
          POST  /2.0/nearbyProfiles      [+]  saving  response  (50  users) $  less  output.json    "profiles":  [{                                  "profileId":  314159265,                                  "displayName":  "Waldo",                                  "aboutMe":  "Where  am  I?",                                  "distance":  0.4980983433684       },       ... request response
  • 46. determine absolute location from relative distances TRILATERATION “trilateration is the process of determining absolute locations by measurement of (relative) distances, using the geometry of circles, spheres or triangles.” $  python  findUser.py  -­‐i  314159265   [+]  making  query  1,  2,  3          got  three  relative  distances
 [+]  converting  geodetic  lat/long  to  ECEF
 [+]  transforming      circle  1  at  origin,  circle  2  on  x  axis,  etc   [+]  generating  array  with  ECEF  x,y,z     [+]  converting  ECEF  back  to  lat/long
 [+]  user  is  at:  73.242539906632,  34.169308121551 trilateration script
  • 47. so lets map some users USER LOCATION San Francisco Sochi (olympics) stores capitols
  • 48. so lets track some willing users USER TRACKING your life; revealed
  • 49. it’d be trivial to reveal anonymous user’s identities IDENTIFYING USERS picture geo tracking from profile name home work } revealed!
  • 50. …didn’t care :/ REPORTING TO GRINDR early 2014 - initial disclosure to vendor followups included conference calls, technical write-ups, & POCs didn’t fix anything “we do not view this as a security flaw”
 -grindr.com/blog/grindr-security
  • 51. …sadly it came to this to get (some) fixes CAT GOT OUT OF THE BAG “Egyptian officials have resorted to using location- based dating app Grindr to arrest gay men" “Grindr fails to protect their user’s” - anonymous (pastebin) people’s lives affected :(
  • 52. fixes & current issues GRINDR RESPONSE } user’s settings respected geofencing (in Egypt, etc.) geolocation kCLLocationAccuracyNearestTenMeters } no SSL pinning open APIs spoofing still can track most users! no rate limiting
  • 54. for users and app developers alike BEST PRACTICES assume you can be tracked disallow tracking at the OS level user developer secure comms secure local storage protected APIs non-precise geo correct UI logic } where’s waldo?!
  • 55. QUESTIONS & ANSWERS {colby,patrick}@synack.com @colbymoore / @patrickwardle syn.ac/shmooConSlides …feel free to contact us any time! stop by our booth to win a MakerBot!
  • 56. credits - thezooom.com - deviantart.com (FreshFarhan) - nicolevanputten.com - http://agentfox.deviantart.com/art/chuck-Norris-hunting-waldo-42939561 - http://fc09.deviantart.net/fs70/f/2010/154/3/9/Waldo_by_MattMelvin.jpg - http://th05.deviantart.net/fs71/PRE/i/2013/250/c/c/where_s_waldo_by_katanauser98-d6lgepy.png 
 - iconmonstr.com - flaticon.com images