Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

When Geo Goes Wrong - A Case Study of Geolocation Vulnerabilities in Mobile Apps

OWASP Foundation via YouTube

Overview

Explore a case study on geolocation vulnerabilities in mobile apps, focusing on a popular social dating application. Delve into various OWASP mobile risks, including weak server-side controls, insufficient transport layer protection, and unintended data leakage. Learn about MitM attacks revealing user locations, trilateration techniques for tracking users worldwide, and the real-world consequences of these security flaws. Discover best practices for developing location-aware apps, including precision limiting of geolocation data, rate limiting APIs, and restricting user location changes. Gain insights into the intersection of physical world and software security, with examples from embedded systems, social networks, and consumer devices.

Syllabus

Intro
GEOLOCATION IN MOBILE APPS incorporating geolocation is the norm
How is GEOLOCATION ACCOMPLISHED (IOS)? using the Core Location Manager
GEOLOCATION (1)OS LEVEL PROTECTIONS os-level alerts
GEO CAN 'LEAK' IF THE APPLICATION IS BUGGY ...bad for users!
THEY KNOW YOUR LOCATION
COMMON CLASSES OF GEO BUGZ can compromise a user's physical location
INSECURE NETWORK COMMS
OVER PRECISE LOCATION
USER INTERFACE
EXAMPLE OF GEO BUGS buggy apps that compromised a user's physical location
STARBUCKS overpriced coffee, plus a shot of geo tracking
WHISPER the safest place on the internet - NOPE
TINDER precise geo of nearby users, allowed tracking
ANGRY BIRDS ... they are watching you play
GRINDR'S PREVIOUS ISSUES Those who cannot learn from history are doomed to repeat it
LACK OF SSL PINNING the app does not pin its certs
REPORTING OF PRECISE GEO
LOCATION SPOOFING can spoof your location as much as you want
WIDE-OPEN APIS unauthenticated, unlimited access to APIS
'BROKEN' UI LEVEL LOGIC what you see/say isn't what you get
DISCLAIMER our goal was to help Grindr under the issues
TRILATERATION determine absolute location from relative distances
USER LOCATION so lets map some users
IDENTIFYING USERS it'd be trivial to reveal anonymous user's identities
GRINDR RESPONSE foxes & current issues
QUESTIONS & ANSWERS feel free to contact us any time!

Taught by

OWASP Foundation

Reviews

Start your review of When Geo Goes Wrong - A Case Study of Geolocation Vulnerabilities in Mobile Apps

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.