I saw someone claiming that they believed a social messaging app for iPhone and Android called “Vibe” was actually a trap to solicit data from members of the Occupy movement, who were using the app for its advertised feature of location-specific anonymous messages. For example, you could set it so that the message is visible to people within 3 miles of your current GPS location. Since the app became popular with the Occupy movement, its threat model is bumped up a few notches from “people posting about local band performances - nobody cares” to “people posting about potentially sensitive political activities - they may be monitored.”
I was bored and wanted a distraction so I decided to check it out. I only checked the Android version because that is a lot easier to work with. I did not at any time install the app or run a single line of its code. (I am a security researcher at Veracode if you are wondering. This is my idea of a great evening.)
The modest download page of Vibe: http://zami.com/v.html
The FAQ: http://www.zami.com/vibe/faq.html
Alright, here’s the skinny. You may mistakenly believe that if you dial the distance on your message down really low, that only people who are actually physically close to you could ever see it. This is not true. It is very, very easy to write a script which impersonates being at any location you want and can get the vibes for that location. It is simply a REST client request to a specific URL recoverable from the app with the latitude, longitude and range set to anything. Tested and confirmed, I was reading short-range New York vibes from my home a few states away.
This is not hacking. The remote web server simply works with whatever geo-coordinates the client provides. It could be improved, if the server hosts wanted, by comparing the client’s IP address and seeing if it’s roughly colocated with the submitted coordinates, but of course there are ways around that such as simply running the script from a rented server in the target’s general region. The simple fact of the matter is that there is no way for a server on the internet to determine for sure you are, in fact, standing in a particular location with your phone. Hence, do not post anything that should not read by someone outside of your range. It’s not actually private! I have not tried it, but it appears someone could also remotely post messages pretending to be near you, so treat the messages you see with a healthy skepticism. (This is actually an advertised feature of the underlying AskLocal platform, which lets you place a message anywhere on the world map but claims that only people near to it can see it. We have already seen that is not really true.)
The second problem is that the app (at least on Android, but probably on iOS too) deliberately overrides SSL security validation (specifically
javax.net.ssl.x509trustmanager) to accept any certificate. What this means is that someone who set up malicious “free wifi” could install a MITM (man-in-the-middle) proxy to intercept your Vibe messages and log everything before posting it so that you never noticed anything was wrong. I am guessing the programmers did this not to facilitate evil but because SSL errors are difficult and annoying and they did not want to complicate their user interface with messages like “Server presented expired certificate, can’t connect.” Now, if this app were only used to post about local art shows and the like, this would not be particularly worth worrying about, but again our threat model is members of a protest movement. Hence, this is not a good app to use if you are attending an event where someone may wish to log the information of who is present and use it against them. (Technically a MITM attack could still happen on your 3G, but the “open a free wifi point and wait” technique is both a very easy and very successful avenue of attack.) This bug could be fixed by the app programmers with a bit of effort so that the Vibe client would not post messages without being certain it was talking directly to the Vibe server.
As for whether or not the real Vibe server logs the IP address when you submit a message, it is impossible to tell for sure but they claim they do not. The IP address alone is only semi-useful but you will still have to answer for yourself how comfortable you are with the situation.
I did not see any deliberately malicious activity (such as siphoning off contact data) and every interface functionality appears to work as advertised. Hence, my recommendation is to treat it as a convenient filter for local messages rather than believing that only local people can see what you say, and to be mindful that your connection info may be logged by an interceptor. Use common sense in what you say and what you believe like on any other social networking service.
Also, this is supposed to be a girly pictures blog, so here’s a pic of Marisa the witch.