While we all know that websites and applications are collecting personal information such as our locations when we use our mobile devices, it is shocking how often those websites fail to protect that information.
If an application doesn’t encrypt personal information while it is transiting the internet, you can safely assume that the company has not correctly prioritized protecting this information. “Leaked” information, or information that is not encrypted when collected, is common not only among small companies, but major organizations fail to take this simple precaution.
Often times, the offense occurs in third party libraries that are integrated into an application to support advertising or mapping. In a quick test, we found apps for AAA, the Weather Channel and various websites leaking our location, unencrypted, through various requests. You can use the same approach that we did to find leaky applications on your devices.
This post will walk you through the steps to define rules to detect your location in your traffic and reveal which sites and apps you may want to think twice about before using.
In this example, we’re going to use Network Monitor to analyze network traffic and tag streams that contain unencrypted coordinates of a particular location. There are several ways to match geo traffic, but here we’re going to use a rule to create a new “location” metadata tag which enables some interesting features.
To get started, open the Recon Network Monitor and click the rules icon in the upper right hand corner of the GUI,then click the “Insert Metadata” icon on the left.
We’re going to define a rule to identify streams containing unencrypted geo coordinates, and a new metadata field which will contain the detected values.
For this example, the GPS coordinates of our office are around 39 degrees latitude and -77 degrees longitude. Since the exact location of a device may fluctuate, we’ll need to write a Regex that allows for a small range of values. We’re basically defining a bounding box for our location using the following regular expression:
(3[89]\.[0-9]{3,10})[^0-9]*(-{0,1}77\.[0-9]{3,10})[^0-9]
First we need to create a rule to search the metadata field stream.content (the full content of a stream) for matches with the regular expression above. Adjust the numbers in this expression match to your location and click on the “regex” checkbox.
Now we’ll define new metadata fields to extract for all streams identified by the new rule. Click on “Add Extraction” to open the extraction dialog. Here we can enter another regular expression to extract whatever we want from the matching streams. Though in this case we’ll reuse the expression in the url to extract the values matched. Once the regex is entered, you’ll notice that the GUI detects two “tokens” which you can assign to new metadata fields. (These tokens are the portions of the regex contained within parenthesis, also known as “capture groups”) For this example. we’ll name the new metadata fields “location.latitude” and “location.longitude”.
Click “OK” to save the new extraction rules and close the dialog box. Finally click the “Add” button to add the rule to the rules dictionary.
The rule we just defined looks for our location’s latitude and longitude separated by any text. We’ll also create a rule that will match coordinates that are written with the longitude preceding latitude as this sequence is also commonly used. This rule can be created using the same steps as above, but using a modified regular expression:
(-{0,1}77\.[0-9]{3,10})[^0-9]*(3[89]\.[0-9]{3,10})[^0-9]
Be sure to also use this new regular expression for the metadata extraction associated with this new rule. Once the rules are created, make sure they’re enabled (The blue Dictionary icon on the left of the rule listing is visible).
Now that the new rules have been created it’s time to load some traffic to look for traffic leaking your location. You can load an existing PCAP file or run a live capture of your network.
Note: When processing traffic after modifying rule definitions, Recon needs to re-compile the rules dictionary. This process happens automatically after clicking “process” and may take several minutes.
Once your capture has been loaded the new metadata fields will be associated with relevant streams and can be used for filtering. Here we’ll take a look at creating a Data Explorer report with the new metadata. Open the Data Explorer by clicking the Data Explorer icon in the global nav on the left of the GUI. The Data Explorer allows you to create reports (Click “+ New Report”) using metadata fields and will be populated with streams containing this field. Here is the definition of a new report for the “location.latitude” and “location.longitude” fields we just created.
If any streams were identified as containing the location used to define the new rules, you will see the detected coordinates listed in the new Data Explorer Report.
Filtering by these coordinates allows you to find the streams that contain them. We ran a quick network capture with an iPad to test this for ourselves. After filtering to some of the location values, we found unencrypted streams containing our geo data for the AAA mobile app, a local NBC weather site, and Home Depot’s store locator.
When inspecting streams, it is not always obvious with what app or website they are associated. Clicking on that stream will display additional detail including http headers, and the User Agent. This information can be used to determine the stream’s purpose. In many cases the user agent will reveal a mobile app. Advertisers often publish geo data and http.referer metadata value will reveal which site generated the request to the advertiser.
By creating rules and extracting metadata pertaining to geographical coordinates, you’ll ensure that any streams containing your devices’ geographical locations will be flagged.
Questions? Comment below or contact us!