← Back to blog

Security Vulnerability Assessment: Splashin iOS Application

4 min read
CVEiOS SecurityAPI SecurityVulnerability Research

Introduction

Splashin is an iOS application designed to facilitate "Senior Assassin" games, where participants are tasked with "eliminating" their targets using water guns. A key feature is location tracking, which operates differently based on subscription tiers:

  • Free Tier: Updates target locations every 10 minutes (600 seconds)
  • Premium Tier: Provides real-time location updates and additional features

Our investigation was initiated after a significant reduction in premium subscriptions was observed despite continued active usage — suggesting users had found methods to circumvent the premium model.

Vulnerabilities Discovered

CVE-2025-45156: Update Interval Bypass

Severity: HIGH

The application's backend fails to enforce the 600-second update interval restriction for free-tier users. While the client application adheres to this restriction, direct API calls can retrieve the most current location data regardless of when it was last accessed.

Affected Endpoint: /rest/v1/rpc/get_user_locations_by_user_ids_minimal

This vulnerability allows free users to poll location data at arbitrary intervals, effectively gaining real-time tracking capabilities without upgrading to premium.

CVE-2025-45157: Premium Feature Access Control Failure

Severity: CRITICAL

The application's "location request" feature, exclusively marketed as a premium feature, lacks server-side subscription validation. This function enables users to send a push notification to their target's device requesting an immediate location update.

Affected Endpoint: /rest/v1/rpc/location-request

Free users can directly call this endpoint to force targets to update their location immediately, making the 10-minute interval restriction completely ineffective.

Technical Details

Authentication Mechanism

The application uses JWT (JSON Web Token) for authentication. Upon decoding, we found that the JWT lacks subscription level validation:

{
  "sub": "0842d321-9443-4ac7-bc54-ec537655ac25",
  "aud": "authenticated",
  "role": "authenticated"
}

The system only validates whether the user is authenticated, not their subscription status.

Subscription Validation Flaw

The server does maintain subscription status in game configuration responses:

"currentPlayer": {
  "id": "0842d321-9443-4ac7-bc54-ec537655ac25",
  "subscription_level": 0,
  "first_name": "Carter",
  "last_name": "LaSalle"
}

However, this subscription level is never checked during API requests to premium endpoints. The server relies entirely on client-side restrictions.

API Request Analysis

The location update request follows this structure:

// Request
{
  "gid": "bb275254-8f59-4157-b230-daac7eb34a08",
  "user_ids": ["04f76640-9e33-4cae-8065-14b1196aa76a"]
}

// Response — returns precise location data
{
  "u": "04f76640-9e33-4cae-8065-14b1196aa76a",
  "l": 34.13469944817501,
  "lo": -118.4290202711757,
  "a": "in_vehicle",
  "ac": 10,
  "up": "2025-03-18T02:01:53+00:00",
  "bl": 0.35,
  "s": 0,
  "h": 4.63,
  "c": "Los Angeles",
  "r": "CA"
}

At no point does either endpoint verify the user's subscription status before processing the request.

Proof of Concept Results

  1. Update Interval Test: Successfully retrieved location data at 5-second intervals, completely bypassing the 600-second restriction.
  2. Premium Feature Test: Successfully triggered immediate location updates from targets with server responses confirming successful requests.
  3. Combined Exploit: Achieved continuous real-time tracking with updates every 15 seconds, combining both vulnerabilities.

Impact Analysis

Business Impact

  • Revenue Loss: With these vulnerabilities, there is no incentive to purchase premium access
  • Declining Subscriptions: The reported decline despite continued usage suggests active exploitation
  • Reputation Damage: Compromises user trust in data protection

User Privacy Impact

  • Real-time locations tracked without user knowledge or consent
  • Activity tracking (walking, driving, etc.) exposed
  • Battery level data exposed, enabling additional tracking vectors

Technical Impact

  • API abuse potential through unlimited polling
  • Comprehensive location history databases could be built
  • Push notification abuse through forced location requests

Remediation Recommendations

Short-Term

  1. Implement server-side subscription validation on all premium endpoints
  2. Add rate limiting on all location endpoints
  3. Restrict location-request endpoint to premium subscribers

Long-Term

  1. Include subscription claims in JWT tokens
  2. Implement an API gateway for subscription validation
  3. Add comprehensive request logging
  4. Implement response caching with time-based access control
  5. Add client integrity verification

Conclusion

These vulnerabilities stem from a common architectural flaw: relying on client-side enforcement of business rules rather than implementing proper server-side validation. All identified issues can be remediated with proper server-side access control implementation.

The full technical report with proof-of-concept code is available on GitHub.