This is not possible if you have not granted Location Services access, due to the nature of how iOS works.
This only shows that a coordinate pair is being sent to the Uber API, which may have been cached from a time in the past, such as last time a ride was requested. The author counters this only by driving away in attempt to “reset” it, but instead of sniffing the traffic to see that the headers changed to reflect the new coordinates, they reached their conclusion by returning home and sniffing the traffic and saw that the coordinates remained the same.
For this to work as described, something in iOS would have to be incredibly broken.
He hasn't really done much to prove conclusively that it's not just coordinates associated with his wifi SSID.
> there is a red push pin right on top of literally the room I am sitting in in the house using Google Maps Satellite View.
why not step outside and try again, see if it moves. or is that room just where he spends most of his time with the phone location services turned on connected to wifi...?
For the exact scenario that the author is describing; attempting to ping your location while you've got your GPS switched off. I don't think it's a particularly uncommon practice.
Not saying it's likely, just something that he should probably attempt to disprove before declaring that the Uber app is sneakily using your GPS after you tell your phone to turn it off.
I don't believe there's a public API for this on iOS. In order to use wifi hotspots to assist with GPS on iOS, you'd have to have location services enabled for the app.
That being said, it's very possible the app is just holding onto the last coordinates it was able to receive when location services was enabled for the app. This may be the default sane behavior to allow it to boot faster, as it'll be able to show/use the previously cached location to load maps, rather than waiting for a GPS fix to be acquired.
The author's test case of booting waze at a different location and then seeing if uber picks up that location after traveling away from it, without booting up the app is probably bogus, as unless granted, uber does not have access to location in background, and thus will not be able to access new location data while the app is not running. Once location services is disabled again, and the app is booted, the app should not see the previous location a GPS fix was able to be acquired (as that would break the implicit guarantee that an app using location services w/o background permissions should only see where you are currently, and not where you have been).
It's my suspicion this data is probably not directly used, and rather is used to enrich analytic events emitted internally within uber.
You're both technically right, but you're writing in a way that suggests his article is somehow without basis or not something to worry about; but it's just the opposite.
It seems he's pointing out that, even if you turn off location services, any app can just get around that by locating you via wifi. Isn't that worrisome, even if not unique to Uber?
Thing is, possibly as a result, Apple blocked ARP access in iOS 11. You can no longer get the BSSID and use that to get user location. Because the post indicates he used an iOS 11 device, this leads me to believe the coordinates were also not obtained with Wi-Fi information.
The point isn’t how it gets the coordinates. It’s that the User disabled Location Services, which means that the User’s expectation (on Apple’s platform) is that the app will not locate the User, regardless of whether it theoretically can do so with GPS, WiFi, or a stellar sextant.
I'm pretty sure the app can be pulling his coordinates from anycast GeoDNS or a number of other things. It's creepyish, but not that weird. It's a location based app, you told them not to use your GPS, they are probably going to use the other tools they have to make sure they can deliver the experience they want to.
I'm not saying it's right, just saying that it exists and everyone has a lot of down to the street location information about you all day.
“So I managed to get something working this afternoon on my own iPhone which isn’t Jailbroken, including a functioning bypass of the certificate pinning protections included in the most recent Uber app running on iOS.”
Does anyone know the method for doing this? 1) without jailbreaking and 2) bypassing certificate pinning on iOS.
>How am I intercepting certificate-pinned Uber app traffic on un-Jailbroken 11.2.1 iOS? Answer: I don’t think I am interested in any further pro bono security consulting for Uber at this point.
Bringing up compensation, even in a round about way like that "pro bono" qualifier, sounds like a great way of getting chased for extortion.
The latest update to the post is pretty funny though. An ear scanning device?!
Let's see how long it takes OP to realize he opened the app and it persisted a location Thu Nov 30 2017 20:04:08 ("gps_time_ms":1512072248998) when location service were turned on.
20 comments
[ 3.5 ms ] story [ 56.0 ms ] threadThis only shows that a coordinate pair is being sent to the Uber API, which may have been cached from a time in the past, such as last time a ride was requested. The author counters this only by driving away in attempt to “reset” it, but instead of sniffing the traffic to see that the headers changed to reflect the new coordinates, they reached their conclusion by returning home and sniffing the traffic and saw that the coordinates remained the same.
For this to work as described, something in iOS would have to be incredibly broken.
> there is a red push pin right on top of literally the room I am sitting in in the house using Google Maps Satellite View.
why not step outside and try again, see if it moves. or is that room just where he spends most of his time with the phone location services turned on connected to wifi...?
Not saying it's likely, just something that he should probably attempt to disprove before declaring that the Uber app is sneakily using your GPS after you tell your phone to turn it off.
I don't believe there's a public API for this on iOS. In order to use wifi hotspots to assist with GPS on iOS, you'd have to have location services enabled for the app.
That being said, it's very possible the app is just holding onto the last coordinates it was able to receive when location services was enabled for the app. This may be the default sane behavior to allow it to boot faster, as it'll be able to show/use the previously cached location to load maps, rather than waiting for a GPS fix to be acquired.
The author's test case of booting waze at a different location and then seeing if uber picks up that location after traveling away from it, without booting up the app is probably bogus, as unless granted, uber does not have access to location in background, and thus will not be able to access new location data while the app is not running. Once location services is disabled again, and the app is booted, the app should not see the previous location a GPS fix was able to be acquired (as that would break the implicit guarantee that an app using location services w/o background permissions should only see where you are currently, and not where you have been).
It's my suspicion this data is probably not directly used, and rather is used to enrich analytic events emitted internally within uber.
There actually was a way to do this. It no longer works as of iOS 11 though.
It seems he's pointing out that, even if you turn off location services, any app can just get around that by locating you via wifi. Isn't that worrisome, even if not unique to Uber?
Thing is, possibly as a result, Apple blocked ARP access in iOS 11. You can no longer get the BSSID and use that to get user location. Because the post indicates he used an iOS 11 device, this leads me to believe the coordinates were also not obtained with Wi-Fi information.
I'm not saying it's right, just saying that it exists and everyone has a lot of down to the street location information about you all day.
Does anyone know the method for doing this? 1) without jailbreaking and 2) bypassing certificate pinning on iOS.
Bringing up compensation, even in a round about way like that "pro bono" qualifier, sounds like a great way of getting chased for extortion.
The submitter mentioned something along these lines, if I understand correctly, in his only other HN submission.
https://news.ycombinator.com/item?id=16000550 https://hackerone.com/reports/293359
Let's see how long it takes OP to realize he opened the app and it persisted a location Thu Nov 30 2017 20:04:08 ("gps_time_ms":1512072248998) when location service were turned on.