Back
Matt Lewis
Research
Vulnerability

March 7, 2014

2 mins read

Vulnerabilities Found In Geofencing Apps

Geofencing apps, which use the global positioning system (GPS) to create virtual barriers to enable different functionality in applications, or devices, depending on geographical area, are not as secure as they could be.

We carried out a range of tests and have discovered a number of vulnerabilities in various apps.

Such apps have a variety of uses ranging from anti-theft protection to locating missing children and many allow users to receive alerts should a mobile device leave or join a specified area.

However, we have found that it is possible to bypass their geofencing capability and to send false location information to users.

This effectively means that if users are utilising such applications to keep track of resources or people, attackers could make it look like these people or resources are not where they should be.

One of the popular uses of geofencing apps is to track children, but users, and this even includes clever kids, could hack the app to make it look as though they are always in a safe place.

Kidnappers could hack the app to make out the child is where they are supposed to be, when in actual fact they are in a different location and could send false signals in order to confuse both police and parents to their actual whereabouts.

We found that all of the applications that we tested were vulnerable to similar attacks involving HTTP modification via active traffic interceptions, and to third-party GPS spoofing applications.

Some were vulnerable to straightforward code decompilation and modification, while all tested applications prevented users from finding the location of another user unless previously authorised to do so.

The user impact of our tests varied from all users being emailed that a device was outside a geofence to device location locking through code modification.

We used geofencing mobile applications available on the Android operating system from the GooglePlay store in our security analysis and looked at issues associated with privacy, integrity and overall security.

Our whitepaper ‘An Analysis of Mobile Geofencing App Security’ has more information on the tests that we conducted.

Published date:  07 March 2014

Written by:  Cyber Security Expert

Published by Matt Lewis

Here are some related articles you may find interesting

Public Report – Confidential Mode for Hyperdisk – DEK Protection Analysis

During the spring of 2024, Google engaged NCC Group to conduct a design review of Confidential Mode for Hyperdisk (CHD) architecture in order to analyze how the Data Encryption Key (DEK) that encrypts data-at-rest is protected. The project was 10 person days and the goal is to validate that the…

Public Reports

April 12, 2024

1 min read

Non-Deterministic Nature of Prompt Injection 

As we explained in a previous blogpost, exploiting a prompt injection attack is conceptually easy to understand: There are previous instructions in the prompt, and we include additional instructions within the user input, which is merged together with the legitimate instructions in a way that the underlying model cannot distinguish…

Machine Learning
Offensive Security & Artificial Intelligence

April 12, 2024

3 mins read

Technical Advisory – Ollama DNS Rebinding Attack (CVE-2024-28224)

Ollama is an open-source system for running and managing large language models (LLMs). NCC Group identified a DNS rebinding vulnerability in Ollama that permits attackers to access its API without authorization, and perform various malicious activities, such as exfiltrating sensitive file data from vulnerable systems.

Research
Technical advisories
Vulnerability

April 8, 2024

7 mins read

Previous post Next post

View articles by category

Most popular posts

Most recent posts

Call us before you need us.

Our experts will help you.

Get in touch