Graduate Students Find Security Vulnerabilities in Life360 App
Is anything ever safe and secure in today’s digital age? Probably not, but a group of graduate students in the Carlos Alvarez College of Business at UTSA were surprised to discover security vulnerabilities in a location sharing mobile application designed to promote family safety.
As part of a semester-long research study, M.S. Information Technology student Posie Aagaard and now alumni Omar Abduljabbar, M.S.I.T. ’22 and Bijan Dinyarian, M.S.I.T. ’22 conducted a forensic analysis on the popular Life360 application, which provides location tracking, notifications and emergency services targeted at families.
What began as a project in a digital forensics class ultimately resulted in a journal publication and a valuable learning experience. Their paper, “Family Locating Sharing App Forensics: Life360 as a Case Study,” was published in the Forensic Science International: Digital Investigation journal this year.
“I take an experiential learning approach to facilitate students’ learning experiences in my classes,” said Raymond Choo, Cloud Technology Endowed Professor in the college’s Department of Information Systems and Cyber Security. “In my graduate digital forensics course the students complete a semester-long open-ended research assignment, which is designed to foster and promote student creativity and engagement.”
“For this project we needed something that we could be hands-on with, and Professor Choo suggested that mobile forensics is a growing field to explore,” said Aagaard, the assistant vice provost for collections and curriculum support in the UTSA library. “We looked at several different apps, but we chose this one because one of our group members had a family member who used it, and it has a huge adoption rate. We thought it could make an interesting case study. We didn’t go into the project expecting specific forensic findings. So, when we got our results they really stood out.”
As part of their study, the students looked at two main areas: the artifacts that were left behind on devices from the app and the networking or transmission of data from the app. Utilizing a variety of industry tools they looked for data that users might not want to be publicly disclosed.
“We really wanted the data to tell us what we were going to find,” said Aagaard. “We learned the way that data could be compromised. And there was a little bit of irony or concern because this is an app that was designed to make people feel safe.”
One of their main findings was that because of the way the data is shared across these overlapping social circles, just having access to one person’s device would make everybody in that circle vulnerable. They also discovered multiple forensic artifacts that comprised significant amounts of personal data.
For premium users, driving data is pushed to third party providers (which the company discloses). So, even if you aren’t a user of this app, a passenger in your car could collect driving data from you through their participation.
“Our goal wasn’t for people to stop using the app, but just to bring awareness,” said Aagaard. “The premise of the app is to be able to share your location with people. You don’t need to drag somebody down into the technical details, but there are certain things people can do that will give you a better outlook of the vulnerabilities that do exist.”
While this wasn’t Aagaard’s first publication, it was her first technical paper. Hoping to graduate by the end of the year, she is a huge fan of the college’s cyber security program. “The program is great. I love that it integrates academia, government and industry. I really feel like we’ve got great experts teaching the classes and students who really like the field.”
A lesson Aagaard hopes consumers can take away from this project is that when people think data is gone, it really isn’t. “Devices and applications are collecting a lot of data that users don’t know exists. And even if they know it exists and they think it is secured, someone with the technical knowledge and time have the ability to find it.”