Thank you. On Sun, Dec 7, 2008 at 1:43 PM, Jon L <[EMAIL PROTECTED]> wrote:
> > Hi guys, I was digging around the Location APIs available in Android > and discovered that it's possible to obtain location data without > having proper location credentials. > > It's a pretty low-risk exposure and requires a bit of effort to get > anything useful, but here it is: > > An android app can use the LocationManagerService.addGpsStatusListener > IPC call to register for GPS status updates that includes the > elevation, azimuth, and other details of each of the satellites in > range of the GPS receiver. There are no permission checks, so an app > can get this data without notifying the user that it's doing it. > > There are some tricky parts to exploiting this: > > 1. If your app doesn't have ACCESS_FINE_LOCATION, it can't enable the > GPS receiver, and no GPS status updates are available when the GPS > receiver isn't on. > 2. It's not easy to determine the exact location from the satellite > positions. Once a malicious app has the exact time and relative > satellite locations from this info leak, it needs to know the absolute > position of each of the satellites at that exact time in order to > determine the user's location. > > So realistically, a malicious app has to install a service that waits > for some other app to enable the GPS (alternatively, skip the service > and just hope the app's process sticks around), then upload the data > somewhere where an attacker can download it to calculate the position > of the user. > > There's some more information about how I'm accessing > LocationManagerService at > http://www.codetastrophe.com/2008/12/accessing-hidden-system-service-apis-in.html > > Like I said, this is low risk, but I ran into it while digging around > so I thought I would share. Here's a patch to fix this in > LocationManagerService.java: > > --- LocationManagerService.java.orig 2008-12-07 14:39:52.000000000 > -0500 > +++ LocationManagerService.java 2008-12-07 14:40:02.000000000 -0500 > @@ -906,6 +906,9 @@ > return false; > } > > + if(mContext.checkCallingPermission(ACCESS_FINE_LOCATION) != > PackageManager.PERMISSION_GRANTED) > + throw new SecurityException("Requires > ACCESS_FINE_LOCATION permission"); > + > try { > mGpsLocationProvider.addGpsStatusListener(listener); > } catch (RemoteException e) { > > > -jon > > Jon Larimer > [EMAIL PROTECTED] >
