Geofencing apps, which use the global positioning system (GPS) to create virtual barriers to enable different functionality in applications, or devices, depending on geographical area, are not as secure as they could be.
We carried out a range of tests and have discovered a number of vulnerabilities in various apps.
Such apps have a variety of uses ranging from anti-theft protection to locating missing children and many allow users to receive alerts should a mobile device leave or join a specified area.
However, we have found that it is possible to bypass their geofencing capability and to send false location information to users.
This effectively means that if users are utilising such applications to keep track of resources or people, attackers could make it look like these people or resources are not where they should be.
One of the popular uses of geofencing apps is to track children, but users, and this even includes clever kids, could hack the app to make it look as though they are always in a safe place.
Kidnappers could hack the app to make out the child is where they are supposed to be, when in actual fact they are in a different location and could send false signals in order to confuse both police and parents to their actual whereabouts.
We found that all of the applications that we tested were vulnerable to similar attacks involving HTTP modification via active traffic interceptions, and to third-party GPS spoofing applications.
Some were vulnerable to straightforward code decompilation and modification, while all tested applications prevented users from finding the location of another user unless previously authorised to do so.
The user impact of our tests varied from all users being emailed that a device was outside a geofence to device location locking through code modification.
We used geofencing mobile applications available on the Android operating system from the GooglePlay store in our security analysis and looked at issues associated with privacy, integrity and overall security.
Our whitepaper ‘An Analysis of Mobile Geofencing App Security’ has more information on the tests that we conducted.
Published date: 07 March 2014
Written by: Cyber Security Expert