The Geolocation API(http://www.w3.org/TR/geolocation-API/), which is specified by W3C, enables web browsers to access geographical location information of a user's device. In the specification, it is prohibited that user agents send location information to web sites without obtaining permission from the user:
...
| Code Block |
|---|
<script>
navigator.geolocation.getCurrentPosition(
function(position) {
alert(position.coords.latitude);
alert(position.coords.longitude);
},
function(){
// error
});
</script> |
The javascript above will show the location of device on a screen.
To enable geolocation in an application using the WebView class, the following permission permissions and the use of WebView class is necessary:
...
Among these, implementing WebChromeClient#onGeolocationPermissionsShowPrompt method needs security consideration. There are vulnerable apps and code example examples that override this method such so that a user's geolocation information is sent to servers without the user's consent. On such With such an implementation, the user's geolocation location data will leak just by visiting malicious sites.
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DRD15-J | low | probable |
|
| L2 |
Related Vulnerabilities
- JVN#81637882 Information disclosure vulnerability in Sleipnir Mobile for Android
Related Guidelines
Automated Detection
Automatic detection complete analysis TBD. It is trivial to automatically detect if an app requires the permissions needed for the vulnerability, if the app also uses the WebView class, and if the app also implements the WebChromeClient#onGeolocationPermissionsShowPrompt method. Tracing taint flow of sensitive geolocation data between components of one or more Android apps, and eventual transit to a sink, is a complex dataflow analysis.
Bibliography
| [TBD] |