search

numbersprotocol / community-support

This is a channel for Numbers community to report issues or open feature requests.
225 stars 6 forks source link

Capture App: Issue - Vulnerability to spoofing of GPS location (Android) #17

Open ghost opened 2 years ago

ghost commented 2 years ago

Issue:

The GPS location of a capture in the android version of the Capture App can be spoofed using free third party apps and developer options in android settings.

Steps to reproduce:

  1. Download a third party app for GPS spoofing and select a desired location on the map in this app.
  2. Go to Android settings > Developer options > Select Mock location app > select the respective third party app from the list.
  3. Open Captures App > Shoot a capture using phone's camera

Current app behaviour:

False location data is stored in blockchain as chosen in the 3rd party spoofing app.

Expected app behavior:

Location data is stored in blockchain according to the real GPS data instead of the false one.

Context:

This spoofing of GPS location could be abused by people who will use the Capture App for news sharing purposes. They can act as if they are in an area of incident without physically being there. And this has the potential to spread misinformation.

Tested device: Redmi Note 4 OS: Android 7.0 Capture App version: 0.43.1

┆Issue is synchronized with this Asana task by Unito

willcoursen commented 2 years ago

great catch... Sheesh

tammyyang commented 2 years ago

Scheduled in the dev sprint.

tammyyang commented 2 years ago

Consult the Ionic team for the best practice and had some conversations with them regarding this issue today. The feedback is, this should be a piece of cake, just a two-liner task :P. I will update once they provide the reference solution.