exploiting vulnerabilities in location based commerce
DESCRIPTION
This ppt discusses in detail about how to Exploit Vulnerabilities in #MobileApplications which are using user Location to filter data or to provide location specific content and Commercial Offers. The session showcased live examples by exploiting vulnerabilities in some famous applications used by mobile users worldwide. The last part of session includes prospective solutions to secure application from these vulnerabilities.TRANSCRIPT
Location Based Services → Exploiting Vulnerabilities
+
Netherlands | USA | India | France | UK
SOFTWARE DEVELOPMENT DONE RIGHT
www.xebia.in; Blog :http://.xebee.xebia.in
What are Location Based Services ? → A service that depends on the network knowing your location
LBS allow consumers to receive services and advertising based on their geographic location.
Location Based Services Location Based Services Can be basically divided into 4 Broad
Categories1. Location Based Search Information
2. Location Based Commerce
3. Navigation Services
4. Tracking Applications
Location Based Information
Location Based Commerce
Location Based Navigation
Location Based Tracking
Loca&on and Constella&ons
Loca&on and Constella&ons
A New Man Made Constella&on
Loca&on Acquisi&on Methods
1.GPS
2.Assisted GPS
3.Cell Towers
4.Cell-ID
5. WiFi Hotspots
6. IP Address
Loca&on Accuracy and Usage Precise Loca+on Acquisi+on
GPS (Global Positioning System) • 24 satellites in orbit. Typically 5 to 8 are
visible from any one place • Distance calculated by time it takes for signal
to travel from satellite to receiver. Calculating the time it takes from 4 satellites provides an accurate fix.
Loca&on Accuracy and Usage Precise Loca+on Acquisi+on
Assisted -GPS • GPS has a slow time to
fix unless it is permanently tracking satellites
• Assisted GPS is based
upon providing GPS satellite information to the handset, via the cellular network
• Assisted GPS gives
improvements in Time to First Fix
NO Loca+on Verifica+on
• 99 % of Applications Providing Location Based Services lack Location Verification Mechanism.
This Leaves all these Applica+ons Vulnerable to Loca+on Spoofing A=acks
Loca+on Spoofing
Injec+ng Fake Loca+ons
Loca+on Spoofers
Results of Loca+on Spoofing
• Commercial applica+ons can be fooled by Checking in with spoofed Loca+ons.
• Rewards, Offers,
Deals on Specific Loca+ons Can be Availed ☺
Results of Loca+on Spoofing
• Tracking Applica+ons
can be fooled by fixing a fake loca+on or Randomly changing Loca+on.
• Incase of Con+nuous
Fleet tracking, Pre-‐Designed Routes can be Simulated to spoof con+nuous Loca+on
Solu+ons to Loca+on Spoofing
Client side valida+ons • Hourly loca+on • Cell towers triangula+on
Server side Valida+ons • Date of Registra+on • RapidFire Check-‐ins • Previous Check-‐ins, History • Distance Algorithims • Traffic updates. • Speed and stops • Loca+ons in other Applica+ons
Spoofing GPS Constella+on
Spoofing GPS Constella+on
GPS Signal Simulators / Signal Spoofer
Spoofing GPS Constella+on
Possible Solutions ????????????
Spoofing GPS Constella+on
Thank You Thank You !
Happy Spoofing :)
Knowledge Sharing: Speakers in national and international conferences
Functional automation Tools: Selenium/Webdriver, AUTO IT, SoapUI, QTP
Language Proficiencies: Java, Ruby, Groovy, Python
ATDD Tools: Cucumber, Fitnesse, JBehave, Geb
Performance Testing Tools: JMeter, LoadUI
Mobile Testing: Appium, Calabash
Agile Testing
Automation Frameworks in place - Selenium/Webdriver keyword driven - SoapUI
Current Competencies
Contact us @
Xebia India [email protected]
Websites www.xebia.in www.xebia.com www.xebia.fr
Thought Leadership Htto://xebee.xebia.in http://blog.xebia.com http://podcast.xebia.com