The document discusses geolocation features in mobile apps and potential security issues. It provides an overview of how geolocation works on iOS, code examples for implementing geolocation in Swift, and discusses common classes of geolocation bugs that could compromise a user's location privacy. These include insecure network communications, insecure local storage of location data, location spoofing, collecting overly precise location data, and user interface errors.
This presentation from Virus Bulletin 2015 will provide a solid technical overview of Gatekeeper's design and implementation, and will discuss both patched and currently unpatched vulnerabilities or weaknesses, in this core OS X security mechanism.
This presentation from ShmooCon 2016 elaborates on a trivial bypass of Apple’s Gatekeeper, a core OS X security mechanism, which still remains flawed following Apple’s patch efforts to the vulnerabilities previously reported and presented by Patrick Wardle at Virus Bulletin 2015.
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
DEF CON 23
You may ask; "why would Apple add an XPC service that can create setuid files anywhere on the system - and then blindly allow any local user to leverage this service?" Honestly, I have no idea!
The undocumented 'writeconfig' XPC service was recently uncovered by Emil Kvarnhammar, who determined its lax controls could be abused to escalate one's privileges to root. Dubbed ‘rootpipe,' this bug was patched in OS X 10.10.3. End of story, right? Nope, instead things then got quite interesting. First, Apple decided to leave older versions of OS X un-patched. Then, an astute researcher discovered that the OSX/XSLCmd malware which pre-dated the disclosure, exploited this same vulnerability as a 0day! Finally, yours truly, found a simple way to side-step Apple's patch to re-exploit the core vulnerability on a fully-patched system. So come attend (but maybe leave your MacBooks at home), as we dive into the technical details XPC and the rootpipe vulnerability, explore how malware exploited this flaw, and then fully detail the process of completely bypassing Apple's patch. The talk will conclude by examining Apple’s response, a second patch, that appears to squash ‘rootpipe’…for now.
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
In comparison to Windows malware, known OS X threats are really quite lame. As an Apple user that has drank the 'Apple Juice,' I didn't think that was fair!
From novel persistence techniques, to native OS X components that can be abused to thwart analysis, this talk will detail exactly how to create elegant, bad@ss OS X malware. And since detection is often a death knell for malware, the talk will also show how OS X's native malware mitigations and 3rd-party security tools were bypassed. For example I'll detail how Gatekeeper was remotely bypassed to allow unsigned download code to be executed, how Apple's 'rootpipe' patch was side-stepped to gain root on a fully patched system, and how all popular 3rd-party AV and personal firewall products were generically bypassed by my simple proof-of-concept malware.
However, don't throw out your Macs just yet! The talk will conclude by presenting several free security tools that can generically detect or even prevent advanced OS X threats. Armed with such tools, we'll ensure that our computers are better protected against both current and future OS X malware.
So unless you work for Apple, come learn how to take your OS X malware skills to the next level and better secure your Mac at the same time!
This presentation from Virus Bulletin 2015 will provide a solid technical overview of Gatekeeper's design and implementation, and will discuss both patched and currently unpatched vulnerabilities or weaknesses, in this core OS X security mechanism.
This presentation from ShmooCon 2016 elaborates on a trivial bypass of Apple’s Gatekeeper, a core OS X security mechanism, which still remains flawed following Apple’s patch efforts to the vulnerabilities previously reported and presented by Patrick Wardle at Virus Bulletin 2015.
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
DEF CON 23
You may ask; "why would Apple add an XPC service that can create setuid files anywhere on the system - and then blindly allow any local user to leverage this service?" Honestly, I have no idea!
The undocumented 'writeconfig' XPC service was recently uncovered by Emil Kvarnhammar, who determined its lax controls could be abused to escalate one's privileges to root. Dubbed ‘rootpipe,' this bug was patched in OS X 10.10.3. End of story, right? Nope, instead things then got quite interesting. First, Apple decided to leave older versions of OS X un-patched. Then, an astute researcher discovered that the OSX/XSLCmd malware which pre-dated the disclosure, exploited this same vulnerability as a 0day! Finally, yours truly, found a simple way to side-step Apple's patch to re-exploit the core vulnerability on a fully-patched system. So come attend (but maybe leave your MacBooks at home), as we dive into the technical details XPC and the rootpipe vulnerability, explore how malware exploited this flaw, and then fully detail the process of completely bypassing Apple's patch. The talk will conclude by examining Apple’s response, a second patch, that appears to squash ‘rootpipe’…for now.
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
In comparison to Windows malware, known OS X threats are really quite lame. As an Apple user that has drank the 'Apple Juice,' I didn't think that was fair!
From novel persistence techniques, to native OS X components that can be abused to thwart analysis, this talk will detail exactly how to create elegant, bad@ss OS X malware. And since detection is often a death knell for malware, the talk will also show how OS X's native malware mitigations and 3rd-party security tools were bypassed. For example I'll detail how Gatekeeper was remotely bypassed to allow unsigned download code to be executed, how Apple's 'rootpipe' patch was side-stepped to gain root on a fully patched system, and how all popular 3rd-party AV and personal firewall products were generically bypassed by my simple proof-of-concept malware.
However, don't throw out your Macs just yet! The talk will conclude by presenting several free security tools that can generically detect or even prevent advanced OS X threats. Armed with such tools, we'll ensure that our computers are better protected against both current and future OS X malware.
So unless you work for Apple, come learn how to take your OS X malware skills to the next level and better secure your Mac at the same time!
[DefCon 2016] I got 99 Problems, but Little Snitch ain’t one!Synack
Security products should make our computers more secure, not less. Little Snitch is the de facto personal firewall for OS X that aims to secure a Mac by blocking unauthorized network traffic. Unfortunately bypassing this firewall's network monitoring mechanisms is trivial...and worse yet, the firewall's kernel core was found to contain an exploitable ring-0 heap-overflow. #fail
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!Synack
DEF CON 23
Remember DLL hijacking on Windows? Well, turns out that OS X is fundamentally vulnerable to a similar attack (independent of the user's environment).
By abusing various 'features' and undocumented aspects of OS X's dynamic loader, this talk will reveal how attackers need only to plant specially-crafted dynamic libraries to have their malicious code automatically loaded into vulnerable applications. Through this attack, adversaries can perform a wide range of malicious actions, including stealthy persistence, process injection, security software circumvention, and even 'remote' infection. So come watch as applications fall, Gatekeeper crumbles (allowing downloaded unsigned code to execute), and 'hijacker malware' arises - capable of bypassing all top security and anti-virus products! And since "sharing is caring" leave with code and tools that can automatically uncover vulnerable binaries, generate compatible hijacker libraries, or detect if you've been hijacked.
Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware.
There's Waldo by Patrick Wardle & Colby MooreShakacon
Mobile apps are truly ubiquitous and enhance our lives in many ways. However, many either leak or insecurely handle geolocation data, affording an attacker the ability to locate, track, or even determine a user’s identity. This talk describes classes of geolocation vulnerabilities, how apps may be audited to find such bugs, and best practices to ensure users remain protected. To provide a more 'hands-on' feel, real world case studies are presented to demonstrate attacks uncovered by Synack researchers.
The talk will begin with a technical overview of geolocation capabilities in mobile OSs and how apps may access a user's location. Next the talk will identify common classes of geolocation bugs and illustrate how developers often utilize a user's location in an insecure manner. One example, since geolocation APIs may default to the highest level of accuracy, a user's precise location may be revealed if not properly secured (on the device, in transit, or in the cloud).
Unfortunately, as our case studies show, such bugs are alarmingly common (numerous popular applications will be mentioned). A specific case study on Grindr (a common dating app), will be presented to illustrate a myriad of geolocation bugs that placed its users in harm’s way (see: 'Grindr vulnerability places men in harm's way' http://goo.gl/dg4cs6). First, due to the lack of SSL pinning, we present a MitM attack that reveals the user's exact location. Following this, we demonstrate a scalable remote attack. This attack combined several bugs, including the fact that the app reported (to anybody), the precise relative distance of all 'near-by' users. With these distances and the ability to spoof one's location and perform unlimited requests, trilateration could precisely locate and track users world-wide. Unfortunately though we reported the bugs, patches only appeared after it was reported that the Egyptian government was tracking and arresting Grindr users.
Step by step demonstrations will be given, showing how we were able to harvest data and run calculations to determine tens of thousands of user's locations in real time. But it would be silly if we stopped there... Leveraging our capability we demonstrate a custom framework developed to map patterns of life and subsequently correlate these patters to true identity. By setting "hot spots" in our framework (think celebrity homes or US capitols) we can monitor target locations for user activity - potentially exposing identities of parties that may traditionally wish to remain private such as celebrities, athletes, and politicians. And yes, it works ;).
I am the 100% [*] by Chris Evans & Natalie SilvanovichShakacon
For a certain class of attacker, the reliability of an exploit is very important. In this talk, we will consider what types of memory corruption vulnerabilities lead to the ability to construct very reliable exploits. We will show two examples of perfectly[*] reliable exploits, and their construction and limitations. We will also discuss the factors that impact the ability to write a reliable exploit.
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianLiang Chen
With the popularity of Apple's system, many OS X kernel vulnerabilities were discovered by fuzzing IOKit. OS X kernel exploitation technology has developed in the past few years, yet recent Apple patches have mitigated most of those technology to avoid generic address leak as well as zone Feng Shui approaches, which, as a result, make harder to exploit OS X kernel vulnerabilities.
In the first part of this talk, we will show several vulnerabilities discovered by KeenTeam whose details have never been published before. Then we conclude about several root causes to Apple IOKit driver's weakness, and how to take advantage of those weakness to find bugs more efficiently.
The second part will cover how to exploit a vulnerability in such case, and how to pave a road from crash to root with the presence of Apple’s new mitigation.
"In today's digital world the mouse, not the pen is arguably mightier than the sword. Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? click ...allowed. Authorize keychain access? click ...allowed. Load 3rd-party kernel extension? click ...allowed. Authorize outgoing network connection? click ...allowed. Luckily security-conscious users will (hopefully) heed such warning dialogues—stopping malicious code in its tracks. But what if such clicks can be synthetically generated and interact with such prompts in a completely invisible way? Well, then everything pretty much goes to hell.
Of course OS vendors such as Apple are keenly aware of this 'attack' vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately they failed.
In this talk we'll discuss a vulnerability (CVE-2017-7150) found in all recent versions of macOS that allowed unprivileged code to interact with any UI component including 'protected' security dialogues. Armed with the bug, it was trivial to programmatically bypass Apple's touted 'User-Approved Kext' security feature, dump all passwords from the keychain, bypass 3rd-party security tools, and much more! And as Apple's patch was incomplete (surprise surprise) we'll drop an 0day that (still) allows unprivileged code to post synthetic events and bypass various security mechanisms on a fully patched macOS box!
And while it may seem that such synthetic interactions with the UI will be visible to the user, we'll discuss an elegant way to ensure they happen completely invisibly!"
Getting Started with iBeacons (Designers of Things 2014)Daniel Luxemburg
iBeacon is a system for device-to-device communication based on Bluetooth Low Energy. Applications running on phones, computers, or other types of device can detect and respond to the presence of nearby iBeacons. This technology opens the doors for new and creative interactions between networked objects like wearables and the surrounding environment. In this session we'll explore the potential of iBeacons by building an iBeacon detection device from scratch and using it to interact with a set of iBeacon nodes from Estimote.
See code examples and demo application on GitHub here: https://github.com/dluxemburg/ibeacon-detector
ISIS (Now OSIRIS) Lab at NYU Tandon school hosts weekly sessions for young hackers. They excelled at developing this talent. This week I gave a talk discussing where vulnerabilities occur, how people handle them as well as a deep dive into various technical aspects of the Application Binary Interface (ABI) for the XNU derived kernels. The deep dive also included covering the loading mechanisms for Mach-O though the kernel and DYLD.
For the second part, I did a walk through which is recorded on youtube (https://www.youtube.com/watch?v=yg9svg9xE8g). It is about how we can use GCC to help you write assembly for your shellcode. It is especially useful for complex logic and for getting you bootstrapped on architectures you might not be familiar with. We use GCC to build up concise code for executing a system call. Just be aware that using GCC for this purpose will usually be enough to buildup ~90% of the work, you'd be responsible to shape it into something that meets all the requirements of your exploit.
At the end, there is a challenge given. It is to build shellcode which downloads and loads a dylib into a process without touch disk. There is a template on github (https://github.com/nologic/shellcc) for downloading and loading from disk.
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
"In the ever raging battle between malicious code and anti-malware tools, firewalls play an essential role. Many a malware has been generically thwarted thanks to the watchful eye of these products.
However on macOS, firewalls are rather poorly understood. Apple's documentation surrounding it's network filter interfaces is rather lacking and all commercial macOS firewalls are closed source.
This talk aims to take a peek behind the proverbial curtain revealing how to both create and 'destroy' macOS firewalls.
In this talk, we'll first dive into what it takes to create an effective firewall for macOS. Yes we'll discuss core concepts such as kernel-level socket filtering—but also how to communicate with user-mode components, install privileged code in a secure manner, and simple ways to implement self-defense mechanisms (including protecting the UI from synthetic events).
Of course any security tool, including firewalls, can be broken. After looking at various macOS malware specimens that proactively attempt to detect such firewalls, we'll don our 'gray' (black?) hats to discuss various attacks against these products. And while some attacks are well known, others are currently undisclosed and can generically bypass even today's most vigilant Mac firewalls.
But all is not lost. By proactively discussing such attacks, combined with our newly-found understandings of firewall internals, we can improve the existing status quo, advancing firewall development. With a little luck, such advancements may foil, or at least complicate the lives of tomorrow's sophisticated Mac malware!"
[DefCon 2016] I got 99 Problems, but Little Snitch ain’t one!Synack
Security products should make our computers more secure, not less. Little Snitch is the de facto personal firewall for OS X that aims to secure a Mac by blocking unauthorized network traffic. Unfortunately bypassing this firewall's network monitoring mechanisms is trivial...and worse yet, the firewall's kernel core was found to contain an exploitable ring-0 heap-overflow. #fail
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!Synack
DEF CON 23
Remember DLL hijacking on Windows? Well, turns out that OS X is fundamentally vulnerable to a similar attack (independent of the user's environment).
By abusing various 'features' and undocumented aspects of OS X's dynamic loader, this talk will reveal how attackers need only to plant specially-crafted dynamic libraries to have their malicious code automatically loaded into vulnerable applications. Through this attack, adversaries can perform a wide range of malicious actions, including stealthy persistence, process injection, security software circumvention, and even 'remote' infection. So come watch as applications fall, Gatekeeper crumbles (allowing downloaded unsigned code to execute), and 'hijacker malware' arises - capable of bypassing all top security and anti-virus products! And since "sharing is caring" leave with code and tools that can automatically uncover vulnerable binaries, generate compatible hijacker libraries, or detect if you've been hijacked.
Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware.
There's Waldo by Patrick Wardle & Colby MooreShakacon
Mobile apps are truly ubiquitous and enhance our lives in many ways. However, many either leak or insecurely handle geolocation data, affording an attacker the ability to locate, track, or even determine a user’s identity. This talk describes classes of geolocation vulnerabilities, how apps may be audited to find such bugs, and best practices to ensure users remain protected. To provide a more 'hands-on' feel, real world case studies are presented to demonstrate attacks uncovered by Synack researchers.
The talk will begin with a technical overview of geolocation capabilities in mobile OSs and how apps may access a user's location. Next the talk will identify common classes of geolocation bugs and illustrate how developers often utilize a user's location in an insecure manner. One example, since geolocation APIs may default to the highest level of accuracy, a user's precise location may be revealed if not properly secured (on the device, in transit, or in the cloud).
Unfortunately, as our case studies show, such bugs are alarmingly common (numerous popular applications will be mentioned). A specific case study on Grindr (a common dating app), will be presented to illustrate a myriad of geolocation bugs that placed its users in harm’s way (see: 'Grindr vulnerability places men in harm's way' http://goo.gl/dg4cs6). First, due to the lack of SSL pinning, we present a MitM attack that reveals the user's exact location. Following this, we demonstrate a scalable remote attack. This attack combined several bugs, including the fact that the app reported (to anybody), the precise relative distance of all 'near-by' users. With these distances and the ability to spoof one's location and perform unlimited requests, trilateration could precisely locate and track users world-wide. Unfortunately though we reported the bugs, patches only appeared after it was reported that the Egyptian government was tracking and arresting Grindr users.
Step by step demonstrations will be given, showing how we were able to harvest data and run calculations to determine tens of thousands of user's locations in real time. But it would be silly if we stopped there... Leveraging our capability we demonstrate a custom framework developed to map patterns of life and subsequently correlate these patters to true identity. By setting "hot spots" in our framework (think celebrity homes or US capitols) we can monitor target locations for user activity - potentially exposing identities of parties that may traditionally wish to remain private such as celebrities, athletes, and politicians. And yes, it works ;).
I am the 100% [*] by Chris Evans & Natalie SilvanovichShakacon
For a certain class of attacker, the reliability of an exploit is very important. In this talk, we will consider what types of memory corruption vulnerabilities lead to the ability to construct very reliable exploits. We will show two examples of perfectly[*] reliable exploits, and their construction and limitations. We will also discuss the factors that impact the ability to write a reliable exploit.
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianLiang Chen
With the popularity of Apple's system, many OS X kernel vulnerabilities were discovered by fuzzing IOKit. OS X kernel exploitation technology has developed in the past few years, yet recent Apple patches have mitigated most of those technology to avoid generic address leak as well as zone Feng Shui approaches, which, as a result, make harder to exploit OS X kernel vulnerabilities.
In the first part of this talk, we will show several vulnerabilities discovered by KeenTeam whose details have never been published before. Then we conclude about several root causes to Apple IOKit driver's weakness, and how to take advantage of those weakness to find bugs more efficiently.
The second part will cover how to exploit a vulnerability in such case, and how to pave a road from crash to root with the presence of Apple’s new mitigation.
"In today's digital world the mouse, not the pen is arguably mightier than the sword. Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? click ...allowed. Authorize keychain access? click ...allowed. Load 3rd-party kernel extension? click ...allowed. Authorize outgoing network connection? click ...allowed. Luckily security-conscious users will (hopefully) heed such warning dialogues—stopping malicious code in its tracks. But what if such clicks can be synthetically generated and interact with such prompts in a completely invisible way? Well, then everything pretty much goes to hell.
Of course OS vendors such as Apple are keenly aware of this 'attack' vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately they failed.
In this talk we'll discuss a vulnerability (CVE-2017-7150) found in all recent versions of macOS that allowed unprivileged code to interact with any UI component including 'protected' security dialogues. Armed with the bug, it was trivial to programmatically bypass Apple's touted 'User-Approved Kext' security feature, dump all passwords from the keychain, bypass 3rd-party security tools, and much more! And as Apple's patch was incomplete (surprise surprise) we'll drop an 0day that (still) allows unprivileged code to post synthetic events and bypass various security mechanisms on a fully patched macOS box!
And while it may seem that such synthetic interactions with the UI will be visible to the user, we'll discuss an elegant way to ensure they happen completely invisibly!"
Getting Started with iBeacons (Designers of Things 2014)Daniel Luxemburg
iBeacon is a system for device-to-device communication based on Bluetooth Low Energy. Applications running on phones, computers, or other types of device can detect and respond to the presence of nearby iBeacons. This technology opens the doors for new and creative interactions between networked objects like wearables and the surrounding environment. In this session we'll explore the potential of iBeacons by building an iBeacon detection device from scratch and using it to interact with a set of iBeacon nodes from Estimote.
See code examples and demo application on GitHub here: https://github.com/dluxemburg/ibeacon-detector
ISIS (Now OSIRIS) Lab at NYU Tandon school hosts weekly sessions for young hackers. They excelled at developing this talent. This week I gave a talk discussing where vulnerabilities occur, how people handle them as well as a deep dive into various technical aspects of the Application Binary Interface (ABI) for the XNU derived kernels. The deep dive also included covering the loading mechanisms for Mach-O though the kernel and DYLD.
For the second part, I did a walk through which is recorded on youtube (https://www.youtube.com/watch?v=yg9svg9xE8g). It is about how we can use GCC to help you write assembly for your shellcode. It is especially useful for complex logic and for getting you bootstrapped on architectures you might not be familiar with. We use GCC to build up concise code for executing a system call. Just be aware that using GCC for this purpose will usually be enough to buildup ~90% of the work, you'd be responsible to shape it into something that meets all the requirements of your exploit.
At the end, there is a challenge given. It is to build shellcode which downloads and loads a dylib into a process without touch disk. There is a template on github (https://github.com/nologic/shellcc) for downloading and loading from disk.
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
"In the ever raging battle between malicious code and anti-malware tools, firewalls play an essential role. Many a malware has been generically thwarted thanks to the watchful eye of these products.
However on macOS, firewalls are rather poorly understood. Apple's documentation surrounding it's network filter interfaces is rather lacking and all commercial macOS firewalls are closed source.
This talk aims to take a peek behind the proverbial curtain revealing how to both create and 'destroy' macOS firewalls.
In this talk, we'll first dive into what it takes to create an effective firewall for macOS. Yes we'll discuss core concepts such as kernel-level socket filtering—but also how to communicate with user-mode components, install privileged code in a secure manner, and simple ways to implement self-defense mechanisms (including protecting the UI from synthetic events).
Of course any security tool, including firewalls, can be broken. After looking at various macOS malware specimens that proactively attempt to detect such firewalls, we'll don our 'gray' (black?) hats to discuss various attacks against these products. And while some attacks are well known, others are currently undisclosed and can generically bypass even today's most vigilant Mac firewalls.
But all is not lost. By proactively discussing such attacks, combined with our newly-found understandings of firewall internals, we can improve the existing status quo, advancing firewall development. With a little luck, such advancements may foil, or at least complicate the lives of tomorrow's sophisticated Mac malware!"
Synack completed a benchmarking test in a series of home automation devices from cameras to home automation controllers to thermostats. The devices were examined head to head to derive conclusions on the relative state of security across the board. Interested in what we found?
Presentation by Wesley Wineberg at B-Sides Vancouver 2015. It includes an analysis of EMU-2, introduction to hardware security and the ZigBee Smart Energy device.
A presentation to the Electronic Business Module at Queen's University Management School, Belfast. The presentation looked at the business applications of geolocation and mobile. Particularly focusing on what is happening out there now.
"Open Government & Geolocation: Building a Mobile, Location-Based Search for AIDS.gov" was presented at Sex::Tech 2011 by Mindy Nichamin and Jennie Anderson of John Snow, Inc.
Geolocation in Web and Native Mobile AppsAaron Parecki
While location-based mobile apps are becoming increasingly popular, they are still relatively new. Special considerations need to be made for battery life and handling large data sets of geolocated data. The good news is there are many services and technologies you can use to assist you in building mobile location-based apps.
In this session, Aaron Parecki, co-founder of Geoloqi.com, shows you services you can leverage to do things like nearby business lookups, location-based triggers, nearest intersection queries, and more. Aaron also covers the location services available on the various mobile platforms as well as in HTML 5, and shares some insights on how to deal with battery life. The session concludes with some real-world use cases for real-time location such as turning on and off your lights in your house or sending an SMS when you leave work.
Location Based Marketing: Geofence, Beacon, Smart Posters, FanWise & Live VideoStarmark
Marketing-on-the-go!
From geo-fencing to beacons, location based marketing technologies are hot this year!
With the proliferation of mobile devices in today’s market, there is tremendous potential to leverage this emerging technology. To help you navigate through the geofences and beacons, we invite you to join us for an innovative webinar that explores geolocation-based marketing technologies and how to best harness the benefits they offer.
Presentation about Structural insulated panels price from www.large-span.com
contact us by info@large-span.com largespangroup@gmail.com
LARGE SPAN GROUP
TEL: 0086-13333016262, 18731151165
FAX: 0086-18032909635, 18032909637
EMAIL: largespangroup@gmail.com, info@large-span.com
Large-Span group is big stated owned corporation established over 30 years and has certificated by BV, TUV, SGS inspection. As one of the most famous manufacturers in China, we have committed ourselves to developing and producing high quality products, professional suggestions and good services for customers all over the world.
Why National Brands Must Adapt to Changing Traveler Behavior Placeable
After a long and brutal winter, summer travel season has finally arrived –– and this year an incredible 88% of Americans plan to take a vacation. In the latest installment of Placeable's ongoing research series, we surveyed 1,000 consumers to learn more about how they research and find businesses before and during their vacations.
Presentation about Osb eps osb structural insulated panels from www.large-span.com
contact us by info@large-span.com largespangroup@gmail.com
LARGE SPAN GROUP
TEL: 0086-13333016262, 18731151165
FAX: 0086-18032909635, 18032909637
EMAIL: largespangroup@gmail.com, info@large-span.com
Large-Span group is big stated owned corporation established over 30 years and has certificated by BV, TUV, SGS inspection. As one of the most famous manufacturers in China, we have committed ourselves to developing and producing high quality products, professional suggestions and good services for customers all over the world.
How to use geolocation in react native appsInnovationM
Geolocation will find your current location and Geocoding gives your address (like City Name, Street Name, etc) by Coordinates (Latitude and Longitude).
What is Geolocation?
The most famous and familiar location feature — Geolocation is the ability to track a device using GPS, cell phone towers, WiFi access points or a combination of these. Since devices area unit employed by people, geolocation uses positioning systems to trace associate degree individual’s whereabouts right down to latitude and great circle coordinates, or more practically, a physical address. Both mobile and desktop devices can use geolocation.
Geolocation is accustomed to confirm zone and actual positioning coordinates, like for chase life or shipment shipments.
Learn how to use the location-related capabilities of Nokia Lumia hardware, Windows Phone Location APIs, and the HERE location platform, including HERE Maps, HERE Drive, and HERE Transit. Starting with the basics — retrieving location information from the phone and registering for background location notifications — this presentation then looks at map-related services APIs available for your Windows Phone apps for Nokia Lumia smartphones, including APIs for map rendering, geocoding, and routing controls.
For detailed documentation on the maps features in Lumia smartphones see http://www.developer.nokia.com/Resources/Library/Lumia/#!guide-to-the-wp8-maps-api.html and don't forget to check out the examples at http://projects.developer.nokia.com/WP8MapsExamples
For more details about developing for Nokia Lumia smartphones visit http://www.developer.nokia.com/windowsphone
Check out details of the other Lumia App Labs, including the future schedule, here: http://www.developer.nokia.com/Develop/Windows_Phone/Learn/
Docker on a local machine and Docker in production — are two big differences. It's easy to play with technology but it's hard to do something real for many customers.
Half a year ago inside of Alpha Laboratory (division of Alfa-Bank) we've started building new microservices architecture for one of our pilot projects. We've almost completely changed a stack of the used technologies on a frontend and significantly changed it on a middle layer. For package and distribution we have choosen Docker. Two months ago we've deployed project to production and have opened service for clients.
In the report the following topics will be covered:
- reasons of a choice Docker;
- why Docker without other tools is not enough for a production;
- what stack of technologies we used in our solution;
- what advantages we've got;
- what problems have been faced and how we've solved them.
Everything About Bluetooth (淺談藍牙 4.0) - Central 篇Johnny Sung
講解 Bluetooth 的 GATT 的概念,並以 Android 實作
Example code:
Peripheral - BLE CPU Temp
https://github.com/j796160836/Ble-CPUTemp-Android
Central - BLE Temperature Receiver
https://github.com/j796160836/BleTemperatureReceiver-Android
Smartphones, tablets, TVs, cars and smartwatches: Android is everywhere enabling users and developers with rich set of applications, libraries and services. Android Things brings such a power to virtually any object, any “thing”: using a low-cost (yet powerful) board, developer can add intelligence and connectivity to home, industries, vehicles and even medical appliances. This presentation introduces practical concepts around the Android Things platform and how to have fun with it.
[JMaghreb 2014] Developing JavaScript Mobile Apps Using Apache CordovaHazem Saleh
Apache Cordova is a platform for building native mobile applications using common Web technologies (HTML, CSS and JavaScript). Apache Cordova offers a set of APIs that allow the mobile application developers to access mobile native functions such as (Audio, Camera, File, Battery, Contacts …etc) using JavaScript. Although there are many JavaScript mobile application frameworks, jQuery mobile is one of the best mobile web application frameworks which allows the web developers to develop web applications that are mobile friendly. This session illustrates how to use Apache Cordova with the combination of jQuery mobile in order to develop a native Android application and deploy on a real Android device. The demo application (“Memo” application) utilizes mobile native functions (Audio and Camera) using pure JavaScript.
Talk I did at WordCamp Birmingham, Exploring ways to make Wordpress work without page refreshes, using the Admin Ajax API and Node.JS with Socket.IO and Express.js
2. “sources a global contingent of vetted security experts worldwide and
pays them on an incentivized basis to discover security vulnerabilities in
our customers’ web apps, mobile apps, and infrastructure endpoints.”
ABOUT
always looking for
more experts!
@colbymoore
/VRL
/SYNACK
vetted researchers
internal R&D
backed by google
3. geolocation bugs, hacks, & fixes
AN OUTLINE
all things geo case study fixes/conclusions
}
}
code bugs
lots of bugs
tracking users
5. incorporating geolocation is the norm
GEOLOCATION IN MOBILE APPS
74% of smart phone users get info
based on their phone’s current location
Use Geo
No Geo
social
recommendations
tracking
health & fitness
commerce
navigation
“84%
inquire
about
location”
6. HOW IS GEOLOCATION ACCOMPLISHED (IOS)?
create delegate start
“The CLLocationManager class is the central point
for configuring the delivery of location-related events
to your app.” apple.com
wait/handle
using the Core Location Manager
7. ‘doing it’ in Swift
GEOLOCATION (IOS)
//required
framework
import
CoreLocation
//conform
to
CLLocationManagerDelegate
class
ViewController:
UIViewController,
CLLocationManagerDelegate
{
//[1]
CREATE
(instance
of)
location
manager
let
locationManager
=
CLLocationManager()
//app
delegate
function
override
func
viewDidLoad()
{
//[2]
set
DELEGATE
self.locationManager.delegate
=
self;
//request
auth
self.locationManager.requestWhenInUseAuthorization()
//[3]
START
collecting
location
self.locationManager.startUpdatingLocation()
}
//[4]
WAIT/HANDLE,
delegate
(callback)
function
func
locationManager(manager:
CLLocationManager!,
didUpdateLocations
locations:
[AnyObject]!)
{
//do
whateverz
//
-‐>user’s
location
is
in
manager.location.coordinate.(longitude/latitude)
}
}
8. os-level alerts
GEOLOCATION (I)OS LEVEL PROTECTIONS
NSLocationWhenInUseUsageDescription:
//request
auth
for
foreground
self.locationManager.requestWhenInUseAuthorization()
App’s
Info.plist
iOS alert
code for auth request
“allow the app to get location updates
only when the app is in the foreground”
9. os-level alerts
GEOLOCATION (I)OS LEVEL PROTECTIONS
//request
auth
for
foreground
self.locationManager.requestAlwaysAuthorization()
App’s
Info.plist
iOS alert
code for auth request
“allows the app to receive location updates
both when the app is in the foreground and in
the background (suspended or terminated)”
NSLocationAlwaysUsageDescription:
10. …bad for users!
GEO CAN ‘LEAK’ IF THE APPLICATION IS BUGGY
“the government”
hackers
“spies could be lurking to snatch data
revealing the [app] player’s location”
-nytimes.com
thieves
criminals
11. …so what!?
THEY KNOW YOUR LOCATION
“investigators said the suspects used social networking
sites such as Facebook to identify victims who posted
online that they would not be home at a certain time”
-thieves robbed homes based on facebook [3]
“a [geo]location allows perpetrators the perfect window to
commit a burglary, vandalism, or even a home invasion”
-criminal use of social media [2]
“[geolocation] generates a precise, comprehensive record
of a person’s public movements that reflects a wealth of
detail about her familial, political, professional, religious,
and sexual associations”
-u.s. v. jones [1]
1) http://scholarship.kentlaw.iit.edu/cgi/viewcontent.cgi?article=3332&context=fac_schol
2) http://www.nw3c.org/docs/whitepapers/criminal-use-of-social-media.pdf
3) http://www.wmur.com/Police-Thieves-Robbed-Homes-Based-On-Facebook-Social-Media-Sites/11861116
12. can compromise a user’s physical location
COMMON CLASSES OF GEO BUGZ
insecure network
comms
insecure local
storage
location spoofing
buggy server-side APIs
overly precise location
UI errors/validation
13. may allow passive attackers access to geo
INSECURE NETWORK COMMS
insecure network
comms
use unencrypted comms
allow self-signed certificates
forget to pin certificates
do not do these things!
14. find such bugs with a proxy
INSECURE NETWORK COMMS
https://
https://
http://
proxy (burp) config
device config
15. does the app accept self-signed certificates?
INSECURE NETWORK COMMS
MOVT
R8,
#(:upper16:(classRef_NSURLRequest
-‐
0xC254))
ADD
R8,
PC
;
classRef_NSURLRequest
MOV
R2,
#(selRef_setAllowsAnyHTTPSCertificate_forHost_
-‐
0xC2A4)
ADD
R2,
PC
LDR
R4,
[R2]
;"setAllowsAnyHTTPSCertificate:forHost:"
LDR
R5,
[R8]
;_OBJC_CLASS_$_NSURLRequest
MOV
R0,
R5
;_OBJC_CLASS_$_NSURLRequest
MOV
R1,
R4
;"setAllowsAnyHTTPSCertificate:forHost:"
MOVS
R2,
#1
;’YES’
MOV
R3,
R8
;
the
host
BLX
_objc_msgSend
class
method
allowing a self-signed certificate (iOS)
setAllowsAnyHTTPSCertificate:forHost:
invoke method
16. did the app forget to pin certificates?
INSECURE NETWORK COMMS
non-jailbroken device
+
hacker’s cert
can
MitM
the
connection
“SSL pinning is a extra layer of security that
ensures a client will only communicate with
a well-defined set of servers”
17. stolen or lost phones may compromise user’s geo
INSECURE LOCAL STORAGE
insecure local
storage
store in unencrypted files
again, bad!
}
plists logfilesdatabases
19. on iOS, always check the user’s default plist
INSECURE LOCAL STORAGE
MOV
R1,
#(selRef_standardUserDefaults-‐0x5917A)
ADD
R1,
PC
LDR
R1,
[R1]
;"standardUserDefaults"
MOV
R0,
#(classRef_NSUserDefaults-‐0x591A2)
ADD
R0,
PC
LDR
R0,
[R0]
;_OBJC_CLASS_$_NSUserDefaults
BLX
_objc_msgSend
;[NSUserDefaults
standardUserDefaults]
MOV
R3,
#(cfstr_geoInfo-‐0x591D6)
ADD
R3,
PC
;"geoInfo"
LDR
R2,
[SP,#0xB4+usersGeo]
;geo
data
MOV
R1,
#(selRef_setObject_forKey_-‐0x591D6)
ADD
R1,
PC
LDR
R1,
[R1]
;"setObject:forKey:"
BLX
_objc_msgSend
;[userDefaults
setObject:
forKey:]
app’s
/Library/Preferences/
with NSFileProtectionNone
App’s IDA disassembly
App’s ‘User Defaults’ plist
<dict>
<key>geoInfo</key>
<dict>
<key>homeLong</key>
<real>73.242539</real>
<key>homeLat</key>
<real>34.169308</real>
...
</dict>
</dict>
20. don’t trust geolocation from the client
LOCATION SPOOFING
location spoofing
be careful if you do this!
explicitly trust client-side geo
allow client’s (device’s)
location to rapidly change
}
user auth
access to
‘relative’ data
21. find such bugs by manipulating reported geo
LOCATION SPOOFING
edit to spoof geo!
editing network dataz
cycript (runtime manipulations)
location spoofing apps (from Cydia)
or
22. do apps really need precision to 12 decimal places?!
OVER PRECISE LOCATION
over precise
location
treat with care!
collect geolocation as precise
as possible
long: 73.242539906632…
~1km ~1m ~1mm
don’t specify a ‘desired accuracy’
(iOS defaults to highest)
24. unprotected APIs may provide geo
INSECURE SERVER-SIDE APIS
insecure server-side
APIs
assume undocumented APIs are hidden
allow unlimited (un-throttled) queries
provide unrestricted geo
all bad assumptions/ideas!
allow unauthorized queries
25. sniffing network traffic often reveals undocumented API
INSECURE SERVER-SIDE APIS
holy $#!@, did we just find Carmen Sandiego!? ;)
intercepted outgoing request modified request
changed user
26. what lurks below?
USER-INTERFACE
user interface
assume the UI is ‘secure’
implement client-side
protection (in the UI)
all bad assumptions/ideas!
ignore user settings
27. don’t enforce anything at the UI level
USER INTERFACE
OR
}
ui settings ignored!
ui level logic
(e.g. precision rounding)
client location still
sent to server
precise geolocation (of other users)
sent to device
28. buggy apps that compromised a user’s physical location
EXAMPLE OF GEO BUGS
starbucks whisper
angry birds
grindr
tinder
case-study
29. overpriced coffee, plus a shot of geo tracking
STARBUCKS
[CVE-2014-0647] Insecure Data Storage of User Data in
Starbucks v2.6.1 iOS mobile application (Daniel Wood)
/Library/Caches/com.crashlytics.data/
com.starbucks.mystarbucks/session.clslog
“[unencrypted] geolocation data included alongside
username and password data, meaning that hackers can
potentially see where a user most often traveled if they
were to access the phone”
30. “the safest place on the internet” - NOPE
WHISPER
users monitored/tracked
(even if opt’d out)
geo stored ‘indefinitely’
shared with the DOD
“”Revealed: how Whisper app tracks ‘anonymous’ users”
-the guardian
31. precise geo of nearby users, allowed tracking
TINDER
tinder user trilateration
(blog.includesecurity.com)
main_photo_url =
photos[0]['url']
matches
‘tinderizer’
facebook profiles
32. …‘they’ are watching you play
ANGRY BIRDS
“the ABC have been developing capabilities to
take advantage of "leaky" smartphone apps,
such as the wildly popular Angry Birds game,
that transmit users' private information [geo]”
-the guardian
34. (all-male) social-dating app
WHAT’S GRINDR?
“the largest and most popular all-male location-based
social network out there. more than 5 million guys in 192
countries around the world -- and approximately 10,000
more new users downloading the app every day”
-grindr.com
all about
geo
extremely
popular
targeted
group
35. Those who cannot learn from history are doomed to repeat it
GRINDR’S PREVIOUS ISSUES
2012: “Love online: 100,000 Grindr
users exposed in hack attack”
-sydney morning herald
2013: Grindr Application Security
Evaluation Report
-university of amsterdam
2014: “Grindr fails to protect user's”
-anonymous (pastebin)
2014: Grindr Application Analysis
-synack
36. “0 Feet Away”
GRINDR (CASE STUDY)
lack of SSL pinning
overly precise geo
location spoofing
overly permissible APIs
broken ui level logic
sharing geo
client side precision
yes, so much wrong!
37. the app does not pin its certs
BUG 0X1: LACK OF SSL PINNING
login info
user geolocation
38. the app reported (overly) precise relative distances
BUG 0X2: REPORTING OF PRECISE GEO
primus.grindr.com
POST /2.0/nearbyProfiles
{"status":
1,
"distance":
3.861290174942267,
"relationshipStatus":
1,
"displayName":
"Waldo",
"isFavorite":
false,
"showDistance":
true,
"height":
187.960006713867,"profileId":
12345678,
…}
response
3.861290174942267
km away
39. even newer versions may reveal precise location
BUG 0X2: REPORTING OF PRECISE GEO
//create
instance
of
location
manager
let
locationManager
=
CLLocationManager()
//set
‘desired
accuracy’
locationManager.desiredAccuracy
=
kCLLocationAccuracyNearestTenMeters;
10 meter
location reporting
office
40. can spoof your location…as much as you want
BUG 0X3: LOCATION SPOOFING
geolocation coordinates for
locating ‘nearby’ users
change these at will!
trilateration?
41. unauthenticated, unlimited access to APIs
BUG 0X4: WIDE-OPEN APIS
{
"filter":{
"page":1,
"quantity":50
},
"lat":<any lat>,
"lon":<any lon>
}
primus.grindr.com
POST /2.0/nearbyProfiles
name height weight relative
distance
request for users’ info
user info
42. what you see/say isn’t what you get
BUG 0X5: ‘BROKEN’ UI LEVEL LOGIC
OR
}
if !showDistance
{
hide distance
}
+ settings
+ settings
UI level logic
srsly? wtf!
43. our goal was to help Grindr under the issues
DISCLAIMER
during vulnerability research and disclosure no individual
users were intentionally or unintentionally identified
all data logged has been irrecoverably destroyed.
The purpose of this research was not to identify Grindr
users but to help protect those that wish to remain private.
44. combining bugs can lead “total tracking”
IT'S MORPHIN' TIME
wide-open APIs
precise relative geo
location spoofing
+
+
=
tracking of any user
anywhere!
45. query the APIs to get info about all ‘nearby’ users
COLLECTION DATAZ
$
python
collectInfo.py
-‐o
output.json
[+]
sent
request
to:
primus.grindr.com
POST
/2.0/nearbyProfiles
[+]
saving
response
(50
users)
$
less
output.json
"profiles":
[{
"profileId":
314159265,
"displayName":
"Waldo",
"aboutMe":
"Where
am
I?",
"distance":
0.4980983433684
},
...
request
response
46. determine absolute location from relative distances
TRILATERATION
“trilateration is the process of determining absolute
locations by measurement of (relative) distances, using
the geometry of circles, spheres or triangles.”
$
python
findUser.py
-‐i
314159265
[+]
making
query
1,
2,
3
got
three
relative
distances
[+]
converting
geodetic
lat/long
to
ECEF
[+]
transforming
circle
1
at
origin,
circle
2
on
x
axis,
etc
[+]
generating
array
with
ECEF
x,y,z
[+]
converting
ECEF
back
to
lat/long
[+]
user
is
at:
73.242539906632,
34.169308121551
trilateration script
47. so lets map some users
USER LOCATION
San Francisco
Sochi (olympics)
stores
capitols
48. so lets track some willing users
USER TRACKING
your life; revealed
49. it’d be trivial to reveal anonymous user’s identities
IDENTIFYING USERS
picture
geo tracking
from profile name
home work
} revealed!
50. …didn’t care :/
REPORTING TO GRINDR
early 2014 - initial disclosure to vendor
followups included
conference calls, technical write-ups, & POCs
didn’t fix anything
“we do not view this as a security flaw”
-grindr.com/blog/grindr-security
51. …sadly it came to this to get (some) fixes
CAT GOT OUT OF THE BAG
“Egyptian officials have resorted to using location-
based dating app Grindr to arrest gay men"
“Grindr fails to protect their user’s” -
anonymous (pastebin)
people’s lives affected :(
52. fixes & current issues
GRINDR RESPONSE
}
user’s settings respected
geofencing (in Egypt, etc.)
geolocation
kCLLocationAccuracyNearestTenMeters
}
no SSL pinning open APIs spoofing
still can track
most users!
no rate limiting
54. for users and app developers alike
BEST PRACTICES
assume you can be tracked
disallow tracking at the OS level
user
developer
secure comms
secure local storage
protected APIs
non-precise geo
correct UI logic
}
where’s waldo?!