Splashin iOS Location Update Interval Bypass Vulnerability for Free-Tier Users

A vulnerability exists in the Splashin iOS application version 2.0, allowing free-tier users to bypass server-side restrictions on location update intervals. While the app is designed to provide location updates every 10 minutes for free users, this limitation can be circumvented through direct API calls, enabling real-time location tracking. This issue arises because the backend fails to properly validate subscription levels before processing location update requests, leaving free users with the same tracking capabilities as premium subscribers.

Impact

Exploitation of this vulnerability allows free-tier users to access real-time location data, undermining the application's subscription model and causing potential privacy concerns for users who believe their locations are only updated every 10 minutes.

Reproduction

The vulnerability can be reproduced by intercepting the application's API requests using a tool like Charles Proxy. After bypassing the app's client-side restrictions, free users can manually send requests to the location update API endpoint at intervals shorter than the intended 10-minute delay. This process can be automated with a script that requests location updates every few seconds, effectively evading the update interval restriction.

Remediation

To address this vulnerability, server-side subscription validation should be implemented on the affected API endpoint. This involves checking the user's subscription level before processing location update requests and enforcing the correct update intervals for free users.