top | item 46725576

(no title)

cptskippy | 1 month ago

> Geofence bypass: As far as I understand, there's no easy way to enforce a geofence server-side other than timing, consistency, etc. You sort of just have to trust whatever the phone tells you.

There's no fool proof method but you can make it very hard and impractical.

Both Apple and Google offer attestation mechanisms to confirm the integrity of the App and Device Environment that it's running on. This ensures that the API requests are coming from an attested device.

To mitigate the MITM attack you can use TLS Certificate pinning on sensitive API requests.

You could have the server side API provide a session specific signing token that the App uses to sign payloads attached to API calls.

discuss

minimaltom|1 month ago

There are attestation mechanisms, but huge portions of a public user-base (especially android) don't pass that check because their device is too old, or their OEM sucked, or something something mediatek SOC, or <insert esoteric detail within the attested data that fails check in opaque way>

In my experience, all forms of attestation start to become impractical at scale unless you have a fairly homogeneous, well-patched fleet. This is particularly heinous for TPMs, where I've observed TPMs coming off one STM line having invalid EK certs, but other STM TPMs of the same model are fine. Or the platform firmware stamped out onto the motherboard has a bug in how it extends PCR0 and the event log is just borked forever, and so on... Totally unworkable.

cptskippy|1 month ago

That's a fair and valid point. Those are concessions that would need to be measured, impact analysis done, and decisions discussed on an ARB meeting.

I was simply pointing out that there are mechanisms that exist today one could use to better secure critical functions.

franga2000|1 month ago

1. This was not a mitm attack, it was lawful mitm inspection of a user's own traffic. Mitm attacks are prevented by TLS and the system CA store already.

2. Please don't give people bad ideas. This is how we get bikeshare apps that don't work on rooted/old/GrapheneoOS/... devices and further entrench google's position in the Android ecosystem.

If your security depends on devices faithfully reporting their location, you've already lost. Get a whiteboard, start from scratch.

cptskippy|1 month ago

> This was not a mitm attack

My intent was not to color or frame the activity but to use shared understood knowledge to convey the concept. It's like the terms blacklist and whitelist. Yes they're rooted in racism, and gosh darn it if everyone doesn't still use them because we know immediately what they are and there no better term. On the flip side we successfully switched from master to main.

If you don't want people saying "mitm attack" you gotta come up with something that rolls off the tongue a little better than "it was lawful mitm inspection of a user's own traffic".

kotaKat|1 month ago

funny thing, that: https://www.gfaker.com/

Apparently you can get dongles for iPhones to do GPS spoofing, because apparently(?) iOS can take an external GPS source(?!?).