Ever since reading about how a security firm in california was able to find the exact location of any user on Tinder through a technique called mobile traffic proxying, I have wanted to try and examine my own mobile traffic.
Up and running, I poked around the traffic of several social apps. Interestingly, Snapchat is still on Google App Engine and the name of their API server is: https://feelinsonice-hrd.appspot.com. I guess time will tell if they will be feelin..so..nice after turning down Facebook’s $3B acquisition offer!
I also checked out Kluck’s app (Kluck is a pseudonym and you can see the FAQ for why I chose not to disclose the name). Kluck has raised over $5M in venture capital, is highly ranked in the app store, has publicly claimed to have 10M+ users, and hundreds of millions of social interactions.
The first thing that jumped out when proxying Kluck’s traffic between the app and main API was that the the API included my last-seen location, with up to 5 decimal places of precision! I immediately wondered if Kluck just returned my location, or could I see anyone?
I proceeded to visit a series of other user’s profiles, including total strangers. In every instance, Kluck returned the user’s location.
To verify if the data was also accurate, I had two friends quickly load up the app on their phone. When I visited their profiles and proxied the responses, I could pinpoint their exact locations to the office block in mid-town NYC and the entrance to the Montreal airport respectively.
I alerted Kluck to this early Friday, and by mid-Saturday, their management team followed up articulating they had fixed the API and it no longer exposed users’ location (you can read their message here).
Kluck isn’t the only app to expose sensitive user data, nor is it even the first to expose geodata.
On the mobile web, it is harder than ever for users to see the data services communicate on their behalf. On desktop, tools like Chrome’s Inspect Element come with the browser and make it comparatively simple for everyone to see the requests a page makes. On mobile, apps don’t come with data inspection tools for the curious. There isn’t a 3rd party service for verifying that API’s don’t expose sensitive information. And tools like Charles cost $50 and take time to set up.
As web usage increasingly moves from desktop to mobile both companies and users need to work together to ensure that we can maintain a reasonable expectation of privacy. One click immediate authorization of our contacts, location etc. at the time of app install shouldn’t undermine this, nor should the barriers that inhibit users holding companies honest keep them from establishing the best norms. And users, for our part, need to be increasingly vigilant to the authorizations they quickly grant and forget.
What is the actual name of the company? I have chosen not to disclose this because the case for increased vigilance of the part of companies and users against exposing sensitive user data isn’t improved. Disclosing the name of the company helps with media attention for the issue, but doesn’t benefit the company and they moved swiftly to fix the issue.
When did you alert Kluck? I sent an email to support and management on Friday, April 25th
When was a fix communicated? Saturday, April 26th
What is proxying? Effectively, you setup your laptop to share its internet connection and have your phone access the internet through that proxied wireless network. The charles proxy app then runs on your laptop, and monitors all traffic coming into and out of your phone, exposing it as plaintext for simple examination.
How precise was the data? The location data was precise to 5 decimal places (~1 metre).
What does this vulnerability allow one to do? Access the last recorded location of a subset of users who had the app installed on their phone and had authorized Kluck to use their location
Is this real time? No, it is the last location Kluck recorded. This could have been the last time they opened the app, or the last time Kluck passively collected it.
Had these users checked in? They hadn’t. They had willingly granted Kluck access to their location at the time of install, and the app then periodically updated it in the background.
Is this specific to Kluck? No, Tinder and other apps have had similar flaws exposed.
Did anybody exploit this? I don’t know