Android

Space shortcuts

Page tree

Versions Compared

Old Version 5

changes.mady.by.user Unknown User (lflynn)

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Geolocation API(http://www.w3.org/TR/geolocation-API/), which is specified by W3C, enables web browsers to access geographical location information of a user's device. In the specification, it is prohibited that user agents send location information to web sites without obtaining permission from the user:

In the specification, it is prohibited that user agents send location information to web sites without obtaining permission from the user:

...

A conforming implementation must acquire permission through a user interface before sending the user's geolocation to the web site.

An example javascript of Javascript for using Geolocation API is as follows:

Code Block
<script>     
navigator.geolocation.getCurrentPosition(
  function(position) {
         alert(position.coords.latitude);
         alert(position.coords.longitude);      
  },       
  function(){       
  // error     
});     
</script>

The javascript Javascript above will show the location of the device on a screen.

To enable geolocation in an application using the WebView class, the following permission permissions and the use of WebView class the webkit package is necessary:

  • permissionpermissions
    • android.permission.ACCESS_FINE_LOCATION
    • android.permission.ACCESS_COARSE_LOCATION
    • android.permission.INTERNET
  • webkit packageWebView class
    • WebSettings#setGeolocationEnabled(true)
    • WebChromeClient#onGeolocationPermissionsShowPrompt() implementation

Among these, implementing the WebChromeClient#onGeolocationPermissionsShowPrompt() method needs security consideration. There are vulnerable apps and code example examples that override this method such so that a user's geolocation information is sent to servers without the user's consent. On such With such an implementation, the user's geolocation location data will leak just by visiting malicious sites.

...

This noncompliant code example sends the user's geolocation information without obtaining the user's permission upon request from a server.

...

If the user setting of geolocation is enabled, the code will show a screen to ask for the user's permission. If the setting is disabled, it will not transmit the geolocation data.

...

Sending a user's geolocation information without asking the user's permission violates the security and privacy considerations of the Geolocation API and leaks the user's sensitive information.

Rule

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

DRD15-J

Low

 

Probable

 

No

 

No

 

P2

 

L3

Related Vulnerabilities

  • JVN#81637882 Information disclosure vulnerability in Sleipnir Mobile for Android

Automated Detection

Automatic detection analysis TBD.

Bibliography

...

Related Guidelines

Geolocation API by W3C

http://www.w3.org/TR/geolocation-API/

Automated Detection

It is trivial to automatically detect if an app requires the permissions needed for the vulnerability, if the app also uses the WebView class, and if the app also implements the WebChromeClient#onGeolocationPermissionsShowPrompt() method.  Tracing taint flow of sensitive geolocation data between components of one or more Android apps, and eventual transit to a sink, is a complex dataflow analysis.

Tool

Version

Checker

Description

Bibliography

[Android API 2013]class WebChromeClient, class WebSettings
[W3C 2013]Geolocation API Specification


...

Image Added Image Added Image Added

...