Full Report
What if your favorite dating, social media or gaming app revealed your exact coordinates to someone you’d rather keep at a distance?
Analysis Summary
# Main Topic
Inadvertent leakage of precise user location coordinates from location-based applications, specifically dating, social media, and gaming apps, through methods that allow triangulation based on "X miles away" data, posing risks related to stalking and unwanted contact.
## Key Points
- Researchers at Black Hat USA demonstrated that relative distance information (e.g., 'located in Tampa 23 miles away') can be exploited to determine a user's exact coordinates.
- The technique involves spoofing the attacker's location repeatedly to form overlapping circles based on the stated distances, converging on the victim's precise location.
- The issue primarily affects apps or services that use or expose *exact* location data, and it can be mitigated if location data is sufficiently rounded (e.g., to within one mile).
- The researchers responsibly disclosed these privacy vulnerabilities to the concerned dating apps, and the issues have reportedly been resolved by the vendors.
- The study examined 15 dating apps for these privacy issues, alongside reviewing their API interfaces and privacy policies.
## Threat Actors
- The report focuses on the potential exploitation by external malicious actors (e.g., stalkers, predators) using data obtained from vulnerable applications, rather than naming specific APT groups.
- The implied threat actor motivation is stalking, harassment, or obtaining precise personal location data against the user's will.
## TTPs
- **Information Elicitation:** Leveraging distance reporting features within geo-location apps.
- **Location Spoofing:** The primary technique involves manipulating the attacker's reported location to input variables for the triangulation calculation.
- **Geospatial Triangulation:** Using the intersection points of multiple overlapping circles (derived from known attacker locations and reported victim distances) to calculate the single point of the victim's exact location.
## Affected Systems
- Dating applications (15 examined by researchers).
- Social media applications utilizing location features.
- Gaming applications that locate nearby players.
- Both iOS and Android platforms are implied, as mitigation steps for both are mentioned.
## Mitigations
- **Application Vendor Action:** Developers must revisit location handling to ensure location data is sufficiently obscured (e.g., rounding location to a larger radius rather than exposing precise coordinates).
- **User Action (iOS):** Change app permissions in 'Settings' > 'Privacy & Security' > 'Location Services' to limit sharing to **within three kilometers** of the precise location.
- **User Action (Android):** Adjust permissions via long-pressing the app icon > 'App info' > 'Permissions' > 'Location' to select options that limit precise sharing.
## Conclusion
The vulnerability posed by imprecise location handling in popular consumer apps represents a significant, solvable privacy risk. While researchers have informed affected vendors, users must proactively utilize built-in operating system controls to limit location precision for high-risk apps like dating services to prevent precise location identification via triangulation methods.