People have long since been interested in tracking their peers for various most shady reasons, such as espionage or blackmailing. Recently, however, geolocation tracking has also become popular for legitimate reasons. Parents want to make sure that their children do not get lost, couples want to find their partners, and friends want to meet spontaneously. For these use cases, smartphone users willingly and knowingly install tracker apps on their devices to actively share their location. These apps are neither backdoors nor malware; their location sharing is consensual. We therefore call these apps “mutual-awareness-tracking apps”. Still, these apps deal with highly sensitive private data, which immediately raises several questions on privacy and security. Users must be sure that their data is only available to the legitimate recipients, and that no adversaries can track them and, e.g., break into their house while they are away.

In this project, we analyzed a selection of the most popular mutual-awareness-tracking apps from the Google Play Store together with the corresponding backend servers. Our investigation shows that many apps and services suffer from grave security issues. Some apps use self-made algorithms (Cesar cipher, simple shifting, etc.) instead of proper cryptography for data storage and transmission. Others do not even attempt to protect their communication and rely on the unprotected http protocol instead. In some cases, we were able impersonate the messaging system of the applications. Even more worrying than the apps, however, is the backend side. Hard coded database credentials in apps allowed access to all stored user locations in the backend. With such a vulnerability, an attacker would be able to extract hundreds of thousands of tracking profiles. He could even keep them up to date in real time. Flaws in another server API allowed us to extract all user credentials (including 1.7m plain text passwords), again giving full access to those profiles. For other backends, extracting credentials was not even necessary, because the user authentication could be bypassed altogether. Furthermore, we saw full communication histories containing messages, pictures and location data. While looking for tracker apps, we even found and reported two malware apps in the Google Play Store that were disguised as tracker apps.

In total, the state of tracker apps is worrisome. With these apps, users provide intentional backdoors into their phones for others to track their location, but unknowingly allow such espionage for arbitrary users. Who needs the capabilities of agencies such as the NSA, if all you need is a tracker app that the victim voluntarily installs on his phone? Build your own surveillance agency for free.

All of our 37 findings are provided in detail in the following:

Those are the two malware findings in Google Play.

Here you can find a complete article about the malware finding.


All your family secrets belong to us – Worrisome security issues in tracker apps
Siegfried Rasthofer, Stephan Huber, Steven Arzt
In: DEF CON 26, August 2018. (Slides, Video)

Little Brother is Watching – We know all your Secrets!
Siegfried Rasthofer, Stephan Huber, Steven Arzt
In: VirusBulletin 2018, October 2018. (PDF, Slides, Video)