20 comments

[ 3.5 ms ] story [ 56.0 ms ] thread
This is not possible if you have not granted Location Services access, due to the nature of how iOS works.

This only shows that a coordinate pair is being sent to the Uber API, which may have been cached from a time in the past, such as last time a ride was requested. The author counters this only by driving away in attempt to “reset” it, but instead of sniffing the traffic to see that the headers changed to reflect the new coordinates, they reached their conclusion by returning home and sniffing the traffic and saw that the coordinates remained the same.

For this to work as described, something in iOS would have to be incredibly broken.

I totally agree with you!!
He hasn't really done much to prove conclusively that it's not just coordinates associated with his wifi SSID.

> there is a red push pin right on top of literally the room I am sitting in in the house using Google Maps Satellite View.

why not step outside and try again, see if it moves. or is that room just where he spends most of his time with the phone location services turned on connected to wifi...?

Why would/should the Uber app try to associate SSIDs with coordinates?
For the exact scenario that the author is describing; attempting to ping your location while you've got your GPS switched off. I don't think it's a particularly uncommon practice.

Not saying it's likely, just something that he should probably attempt to disprove before declaring that the Uber app is sneakily using your GPS after you tell your phone to turn it off.

>coordinates associated with his wifi SSID.

I don't believe there's a public API for this on iOS. In order to use wifi hotspots to assist with GPS on iOS, you'd have to have location services enabled for the app.

That being said, it's very possible the app is just holding onto the last coordinates it was able to receive when location services was enabled for the app. This may be the default sane behavior to allow it to boot faster, as it'll be able to show/use the previously cached location to load maps, rather than waiting for a GPS fix to be acquired.

The author's test case of booting waze at a different location and then seeing if uber picks up that location after traveling away from it, without booting up the app is probably bogus, as unless granted, uber does not have access to location in background, and thus will not be able to access new location data while the app is not running. Once location services is disabled again, and the app is booted, the app should not see the previous location a GPS fix was able to be acquired (as that would break the implicit guarantee that an app using location services w/o background permissions should only see where you are currently, and not where you have been).

It's my suspicion this data is probably not directly used, and rather is used to enrich analytic events emitted internally within uber.

> I don't believe there's a public API for this on iOS

There actually was a way to do this. It no longer works as of iOS 11 though.

You're both technically right, but you're writing in a way that suggests his article is somehow without basis or not something to worry about; but it's just the opposite.

It seems he's pointing out that, even if you turn off location services, any app can just get around that by locating you via wifi. Isn't that worrisome, even if not unique to Uber?

I fully understand your point, and it is indeed a problem. In fact I have personally called out other apps for this: https://www.washingtonpost.com/news/capital-weather-gang/wp/...

Thing is, possibly as a result, Apple blocked ARP access in iOS 11. You can no longer get the BSSID and use that to get user location. Because the post indicates he used an iOS 11 device, this leads me to believe the coordinates were also not obtained with Wi-Fi information.

yeah don't get me wrong, if that's what it's doing it's still a dark pattern. but maybe _slightly_ less insidious than the alternative.
The point isn’t how it gets the coordinates. It’s that the User disabled Location Services, which means that the User’s expectation (on Apple’s platform) is that the app will not locate the User, regardless of whether it theoretically can do so with GPS, WiFi, or a stellar sextant.
Assuming the app is sending an old, cached location, why would they want to do that?
The simplest explanation is that it is used for sharding. (Uber iOS dev)
I'm pretty sure the app can be pulling his coordinates from anycast GeoDNS or a number of other things. It's creepyish, but not that weird. It's a location based app, you told them not to use your GPS, they are probably going to use the other tools they have to make sure they can deliver the experience they want to.

I'm not saying it's right, just saying that it exists and everyone has a lot of down to the street location information about you all day.

“So I managed to get something working this afternoon on my own iPhone which isn’t Jailbroken, including a functioning bypass of the certificate pinning protections included in the most recent Uber app running on iOS.”

Does anyone know the method for doing this? 1) without jailbreaking and 2) bypassing certificate pinning on iOS.

>How am I intercepting certificate-pinned Uber app traffic on un-Jailbroken 11.2.1 iOS? Answer: I don’t think I am interested in any further pro bono security consulting for Uber at this point.

Bringing up compensation, even in a round about way like that "pro bono" qualifier, sounds like a great way of getting chased for extortion.

The answer is likely a non-issue, such as some connections not being pinned and possible to intercept if you install a custom root CA on your device.

The submitter mentioned something along these lines, if I understand correctly, in his only other HN submission.

This is the same guy that got shut down for being a dick 4 days ago, seems like he's really trying to "get back" at Uber.

https://news.ycombinator.com/item?id=16000550 https://hackerone.com/reports/293359

The latest update to the post is pretty funny though. An ear scanning device?!

Let's see how long it takes OP to realize he opened the app and it persisted a location Thu Nov 30 2017 20:04:08 ("gps_time_ms":1512072248998) when location service were turned on.