AppSec California 2015

Mobile apps are truly ubiquitous and enhance our lives in countless ways. However, many either leak or insecurely handle geolocation data, affording an attacker the ability to locate or track users. Here, we present an intriguing case study of a widespread social dating app that was vulnerably to a surprising number of OWASP mobile risks. Weak server side controls? check! Insufficient Transport Layer Protection? check!
Unintended data leakage? check! ...and on and on.

Our case study will present research performed on Grindr (a common social dating app), and illustrate a myriad of geolocation bugs that placed its users in harms way (see: ‘Grindr vulnerability places men in harm's way’ http://goo.gl/dg4cs6). First, due to the lack of SSL pinning, we present a MitM attack that reveals the user’s exact location. Following this, we demonstrate a far simpler and generic attack. This attack combined several bugs, including the fact that the app reported (to anybody), the precise relative distance of all ‘near-by’ users. With these distances and the ability to spoof one’s location and perform unlimited requests, trilateration could precisely locate and track users world-wide. Unfortunately, (though we responsibly reported the bugs) patches only appeared after it was reported that the Egyptian government was tracking and arresting Grindr users.

Besides illustrating location-specific bugs and providing real-world examples, the talk will provide suggestions best practices to ensure applications are developed in a manner that does not put users at risk. Such suggestions include precision limiting of geolocation data, rate limiting APIs (in order to make large-scale data harvesting difficult), and limiting the speed and magnitude of user location changes (to prevent harvesting of distances from arbitrary points). For companies or anybody developing location-aware apps, these suggestions will be directly applicable.