CHECK FOR MOCK LOCATION and ROOT access not available

nic-delhi / AarogyaSetu_Android

Aarogya Setu Android app native code

https://www.aarogyasetu.gov.in/

Other

2.88k stars 1.81k forks source link

CHECK FOR MOCK LOCATION and ROOT access not available #26

Open junaidshaikh787 opened 4 years ago

junaidshaikh787 commented 4 years ago

The application is vulnerable to location spoofers which let them allow to enable mocklocation and use any third party app and the major problem are the handset with root access which can manupulate the application location by systemizing the spoofing apps

0xSumitBanik commented 4 years ago

This issue has been already opened at #13

junaidshaikh787 commented 4 years ago

On rooted devices there are some manager application which also passes the safetynet tests and can be used to systemize almost any application. Even the root check of this application might get bypassed. what about the application which are systemized and used for location spoofing in which the mock location options are not required

arpanbag001 commented 4 years ago

What's the problem with rooted devices? It's not a banking app! Why would anyone spoof location on such an app?

So why exactly do you think users of rooted devices do not deserve protection?

I own several devices, which are rooted as I use them for development and stuff, and blocking rooted devices will simply make me not use the app. And I'm sure, many many other users will agree. So, I think it's not logical to block rooted devices on every single app, even when it's unnecessary.

sureshvgs commented 4 years ago

you may not need root access always. Just enabling developer option is more than enough. there we can select location mock option with any location faking apps. Also most apps fail or carelessly exclude checking mac address or further screening related to mock location

vasthava commented 4 years ago

While i agree with the opinions here.. 1.Root access can help in spoofing my location to a safer location and show my indicator to be green

Yes even in non-rooted devices location can be spoofed to using mock location..But it is way easier to check this setting.Unless the device is rooted and xposed is installed and mock location is actually spoofed as device location without mock location enabled (Widely used to spoof in pokemon go),

SarangKulkarni commented 4 years ago

Location data is by definition client side data and in this case there is no option but to trust it for the functionality of the app. Whatever client-side checks are implemented in the app for stopping mock location etc., a malicious actor could bypass them in their own build of the app and continue to remain malicious.