SNE is the University of Amsterdam master education in System and Network Engineering.
We focus on Open Standards, Open Software and Open Security, hence the name OS3.

General information and testimonials are available at the Introductory page. More in depth facts can be found on our Master SNE page.

If you want to make a personal appointment to visit our education or to attend a lecture, please contact us via info at os3 dot nl. You can also visit our facilities at the Science Faculty of the University of Amsterdam, located at the Science Park Amsterdam.

Students of the Master education in System and Network Engineering (SNE) of the University of Amsterdam evaluated the Grindr dating app to see how sensitive user information is protected. Results are astounding, as documented in this report.

Grindr, “the world's biggest mobile network of guys”, is a dating app for homosexual men. The Android, iOS and BlackBerryOS app provides users with user and location information of the 24 closest users that are also looking for a partner. In 2012 a number of weaknesses were discovered. According to Grindr the weaknesses were resolved with an update that was published within days. Reality proved to be rather different.

After the 2012 update all messages are encrypted to prevent eavesdropping of user and location info. Encryption is implemented using AES. However the used key can be recovered quite easily as a result of weaknesses in the key exchange mechanism. After decrypting Grindr network traffic with the recovered key it became clear that the underlying protocol is vulnerable for several attacks.

The mechanism that is used to transfer the 24 closest users contains a token that points to the profile of the 24 users. In other words: it's used as an identifier. However the token can also be used to logon to the profile of the users. In other words: the user profiles are not protected by a password or other shared secret. With an eavesdropped token it is possible to access and change all - including non-public - profile information. The underlying chat system uses the same system. As a result all chat messages can be eavesdropped and an attacker can impersonate a user by sending messages on their behalf.

The mechanism that is used to transfer the 24 closest users also contains the distance to other users. This system is based on the user's current GPS location. An attacker can spoof GPS locations of the requesting account. By systematically scanning all possible GPS coordinates it is possible to identify all Grindr users. Furthermore it is possible to pinpoint the location of a user after measuring the distance from several (spoofed) GPS locations. If this process is performed continuously, users can be tracked in near real-time. Results can be plotted on a map, including a profile picture.

Even in countries with a liberal gay policy we are occasionally startled by anti-gay violence. In many other countries the impact of having a homosexual orientation can have even more serious consequences, e.g. the Russian gay propaganda law or the death penalty in some countries in Africa and the Middle East. The risks involved need to be addressed by the software publisher according to the researchers.

The University of Amsterdam contacted Grindr with the issues. Grindr took action immediately. Both parties agreed upon a "responsible disclosure" procedure. During the agreed timeframe results were not shared with other parties and Grindr got the time to resolve the reported problems. On September 30st Grindr launched a new version of the app that - according to Grindr - fixed all issues. Grindr users are urged to install the update as soon as possible.

In the new 2013 Keuzegids masters System and network engineering scores as the best Computer Science master. It states translated from Dutch:

“Again the System and Network Engineering master at the UvA gets the best assessment. The students are very complimentary about the facilities. The program is very well organized, especially the focus on skills in the education is valued, as is the career preparation. The latter is okay everywhere but the UvA is the only master to score above-average on this point.

In May the OS3 master will exist 10 years. We will celebrate this on May 31st. Put this date in your agenda.

Students of the UvA master System and Network Engineering discovered a serious weakness in the ABN AMRO mobile banking Android app. During a practical assignment in the course Security of Systems and Networks they discovered the possibility of a man-in-the-middle attack. The vulnerability allowed to intercept and decrypt the secret pin code and user account data. It was even possible to change transactions on the wire and adjust the amount and account number money was transferred to.

ABN AMRO was notified in a responsible disclosure procedure. The vulnerability was demonstrated to them at the UvA where a possible fix was discussed. The bank responded very quickly and delivered a fixed version of the app The students visited the bank to test these fixes.

The new version of the app was available to users in the Google app store on December 17th only a few days after being notified which is very commendable.

Users who didn't update the app since are still vulnerable. These users might not be aware of the risk. The release notes only state:

“This is a security update which will make Mobiel Bankieren even more secure”.

You can read the report with the findings of Thijs Houtenbos, Jurgen Kloosterman, Javy de Koning en Bas Vlaszaty.

The SNE master doubled in size we now have a double group and a new lab C3.154 close to the SNE research group.

More SNE/OS3 news

• Vice President Logica Benelux calls SNE students heroes (Dutch)
• Still easy to crack chip in passports (Dutch)
• Anonymous data still gives away identity (Dutch)

More SNE/OS3 in the media

• Personen ondanks geanonimiseerde gegevens toch identificeerbaar (Dutch)

More SNE/OS3 press releases