Shared transportation services are becoming an inseparable piece of our daily lives. These include self-service bike and scooter rentals and even parking spots rentals. Using mobile apps, users interact with the company servers through a web-based API to get information about available vehicles and to operate them. If not properly designed and protected, these APIs may allow an attacker to extract sensitive information about peoples’ locations and personal details. Our work is pointing out flaws that leak location information as well as other Personally Identifiable Information (PII) from available public API calls. For all platforms tested we were able to track users’ locations in real time and in some cases even extract users’ location history. Furthermore, we were able to draw their ride route and locations on a map in real time. In our presentation we explain and demonstrate the most common flaws and suggest mitigating controls, applicable to many app security scenarios.
- Understand the key flaws in the design and implementation of web APIs for mobile applications in general.
- Learn about the main controls required for protecting web APIs for mobile applications.
- Become aware of the threats to data in shared transportation services specifically (as user, programmer or partner).
Technical Difficulty: Medium