The first slide in the researchers' presentation. Credit: Synack
WASHINGTON — Poor security on many iOS apps lets iPhone users be location-tracked by strangers, putting those users in potential danger, two researchers said at the ShmooCon hacker conference here on Saturday (Jan. 17).
Patrick Wardle and Colby Moore of Menlo Park, California-based information-security firm Synack explained how the Angry Birds, Starbucks, Tinder and Whisper iOS apps all leaked the user's location to potential hackers who could intercept the GPS data being sent back to the app's servers.
However, they said, Grindr, the dating app for gay men, was by far the worst they tested — to the point where flaws they had told Grindr about, but which the app maker refused to fix, let police in Egypt find and identify local Grindr users and arrest them for public indecency.
"If you track a person's public movements, you can generate an incredible amount of personal data," Wardle said, explaining why protection of user location was so significant.
Moore and Wardle's presentation, entitled "There's Waldo! Tracking Users via Mobile Apps," enumerated several ways in which common smartphone apps leaked geolocation data, which about three-quarters of all smartphone apps collect. The researchers analyzed only iOS apps, but did not say Android apps would be any safer.
An app could transmit user location to its servers insecurely, they explained — most obviously if it sent that data in plaintext, but also if it failed to properly encrypt it. Angry Birds was seen by the National Security Agency as a prime source of leaky transmitted geolocation data, according to documents leaked by Edward Snowden.
Or an app could store user location on the device itself insecurely, as the Starbucks iOS app was found to be doing in January 2014, showing anyone who had access to the phone where the user had been.
Some apps allow location spoofing, permitting the user to fake where he is. Others transmit the user's location too precisely: a Brooklyn security firm in February 2014 showed it could use triangulation techniques to pinpoint any Tinder user to within 100 feet.
"Do apps really need to specify latitude and longitude down to 12 decimal points?" Wardle wondered.
An app could also do things of which the user is unaware, Moore and Wardle said. It could have hidden interactions with the server that could be unprotected and open to attack by hackers — an oversight on the part of the developers.
Or it could flat-out mislead the user, such as by offering an option to not share precise location data with other users, but then transmitting all that information to the servers anyway — and even giving that information to government agencies, as the purportedly anonymous messaging app Whisper was allegedly found to be doing this past fall.
Most leaky smartphone apps only have one or two of these common geolocation security flaws, Wardle and Moore said. But Grindr had all six, which could be combined to turn Grindr into a tool for "total tracking."
"It's really easy to narrow down who's who" using Grindr, Moore said, adding that just following a person's daily movements would quickly reveal his exact home and work addresses.
The researchers spoofed Grindr locations so that a single iPhone would appear to the Grindr servers to be in several locations nearly simultaneously. Each location would show a different, but overly precise, relative distance to another Grindr user who was being (voluntarily) targeted; the target's location then could be very accurately triangulated with a single iPhone instead of three or more.
Grindr's user interface was more than misleading, they said. Even if a user opted not to share relative distance, that information was still transmitted to all other users, if not displayed. But the lack of protection for the Grindr app itself not only let skilled attackers read that hidden received distance data — it also could reveal the sender's name, height, age and appearance.
Wardle and Moore said they'd completed much of this research by early 2014, at which point they told the Grindr parent company about the flaws. The company, the two said, wasn't intrested and refused to implement fixes.
A few months later, Moore and Wardle said, someone else found the same flaws and anonymously posted the exploits on Pastebin. Days after that, they said, police in Egypt decided to implement the exploits to arrest gay men.
After news of the arrests reached the West, Grindr made changes. First, it fixed the user interface so that the relative-distance opt-out actually worked. Several days later, it made sure that Grindr users in Egypt and several other countries known to repress gays would have relative-distance-sharing turned off by default.
"We do not view this as a security flaw," a post on the official Grindr blog discussing the Egyptian situation said.
However, Moore and Wardle pointed out, the Grindr app still fails to protect its communications with the server, hidden or otherwise, and fails to prevent location spoofing.
All app developers, they said, should make sure than their communications and data storage are fully secure, that user geolocation is not overly precise and that user interfaces are truthful and clear. All users, they added, should assume that they are being tracked by smartphone apps at all times, and should disable tracking in general settings, not app by app, if they feel uncomfortable about that.
- iOS 8 Security Tips to Keep Your Data Safe
- 10 Facebook Privacy and Security Settings to Lock Down
- 12 Mobile Privacy and Security Apps