What's APPening with Location-based services

Last Friday was the annual Data Privacy Day, held to raise awareness about data privacy issues among consumers, organizations, and government. A key piece of online data is information about a user’s location. While location information has enabled the delivery of interesting services, it has also raised security concerns. Social media applications allow users to share their location with friends and businesses that provide value-added services. But at the same time, they expose users to serious security issues such as the ones on PleaseRobMe.com and ICanStalkYou.com. Recently, concerns were raised by the Military about the inadvertent release of sensitive unit location information on social media sites. In the Enterprise arena where users are increasingly mobile, organizations can benefit by using location data to manage mobile assets, but can also face risks from revealing location data of employees and resources to the competition.

Location-based services are made possible by location database providers such as Skyhook, Google, and Apple. These companies maintain reference database of Wi-Fi MAC addresses and Cell tower IDs that they collect by, among other ways, scanning the streets for such equipment. Mobile devices such as smartphones and laptops send their raw position information (Wi-Fi AP/Cell tower ID, signal strength, etc.) to a provider, who uses triangulation schemes to estimate and return the location (latitude, longitude, and accuracy) to the device. Applications on the device can request user permission to access this information and send it to servers on the Internet that provide some service to the user.

In the recent content updates to our Application database, we have added two new App-IDs for Google and Apple location services. These identify the traffic sessions from a user’s browser to the location service provider – Firefox to Google, or Safari to Apple. When these sessions go over SSL, the decryption capabilities of the device allow for decrypting the SSL traffic and identifying the App-ID. On the Palo Alto Networks next-gen firewalls, security policy can be created based on these App-IDs to allow, block, or safely enable the location based services. Enterprises will need to weigh their individual benefits and risks and create a corporate policy around the use of these services. App-ID based firewall security rules offer IT administrators the means to enforce such a policy.