Security researchers Colby Moore and Patrick Wardle reveal how poor security practices in mobile application development could reveal your location to anyone.
WASHINGTON, D.C. – Today at ShmooCon, Colby Moore and Patrick Wardle presented on how poor security practices in mobile application development could reveal your location to anyone.
According to Moore and Wardle, geolocation is the norm in user apps—even in apps you don’t suspect. Moore and Wardle listed a few apps that have had geolocation vulnerabilities in the last few years, including Whisper, Tinder, Starbucks, and, most surprisingly, Angry Birds.
Moore and Wardle talked about common problems with geolocation technology in applications, including unencrypted communication and mis-use of certificates, insecure data storage, location spoofing, over precise location, insecure 3rd party APIs, and UI settings.
Grindr Case Study
The core of Moore and Wardle’s talk were the findings from a case study where they exploited a combination of these common problems in the gay dating app, Grindr.
According to Moore, Grindr had a “ridiculously bad misuse of geo information.” Wardle went on to say that because of these poor practices they were able to track “any of [Grindr’s] users anytime, anywhere in the world.”
Moore and Wardle demonstrated the data they were able to collect using the vulnerabilities, and the findings were shocking. They were not only able to determine tens of thousands of users’ precise coordinates (down to the subcentimeter), but they were able to track the users in real time.
They were also able to discover the users’ identities. They used geolocation data to find the users’ home and work locations and data from the users’ profiles to find their names, ages, heights, and weights along with links to social media profiles and photos of the users. Even if the Grindr users had kept their identity anonymous in the application, Moore and Wardle were able to discover the users’ identities by using the data that the app collected.
Moore and Wardle reported the vulnerabilities to Grindr in March 2014. Though Grindr silently patched one of the vulnerabilities, the other vulnerabilities remained untouched until authorities in Egypt and Iran used the geolocation functionality of the app to enforce an anti-gay agenda and arrest Grindr users.
Though Grindr has since made patches in an attempt to fix the reported vulnerabilities, Moore and Wardle say that they can still track users with the app.
“As part of the Grindr service, users rely on sharing location information with other users as a core function of the application… Grindr’s geolocation technology is the best way for users to meet up simply and efficiently. As such, we do not view this as a security flaw,” the company said.
Protecting Yourself and Your Users with Best Practices
Moore and Wardle recommended users protect themselves and developers protect their users by following best practices.
- Assume you can be tracked
- Disallow tracking at the OS level
- Secure communications
- Protect APIs
- Use correct UI logic
- Secure local storage
- Set non-precise geolocation (apps with default to most granular level if not set)
Moore is a Security Research Engineer at Synack and Wardle is the Director of Research at Synack, a security company that works to crowdsource vulnerability testing for enterprises. The pair spoke at DEFCON last fall on the malicious use WiFi security cameras and will be presenting at AppSec Cali this year on various mobile application vulnerabilities.
For a live stream of ShmooCon 2015, see this page.
For the slides from Moore and Wardle’s talk, see this page.