Breaking the Security of Location-enabled Apps

Using various mobile applications' Location Based Services (LBS), we were able to precisely geolocate users of many of these platforms. In performing a broad-based study on nearly twenty applications, a vulnerability class that is nearing a 10-year anniversary more recently surfaced in Telegram, for which we were also able to develop a partial bypass to still locate users with good enough accuracy. In this talk, we will discuss how to exploit these LBS vulnerabilities while automating parts of them, as well as how to effectively defend against them.
As penetration testers, we have analyzed many LBS-enabled mobile applications, ranging from social networks, mobile games &payments as well as banking applications. These services, while seemingly harmless, are often used without considering their privacy impact. Since 2013, well-known applications such as Tinder, Grindr, Strava and others, have suffered from LBS-related vulnerabilities and privacy concerns.

Many popular applications have since implemented mechanisms to protect their users' privacy, such as profile verification to prevent "catphishing" and API abuse, rounding distances to the closest round number, or opting out from displaying distance on your profile. However, many of these implementations were simply insufficient in making it impossible to reveal the real location of other users. In this talk, we will discuss these implementation issues, how profile verification could be bypassed to maintain access to a location-related API endpoint, and release tooling to automate part of the location detection process. Finally, we will discuss ways to defend against LBS implementation issues both from a developer and user perspective.