pskl.us

Tag: Application Development

iPhone Privacy: What about the SSL Apps?

by on Oct.05, 2010, under Presentations, Security

Following up on our story from last week, we looked more closely at applications which used SSL to encrypt communications between iPhones and remote servers in order to determine if they were transmitting iPhones’ unique identifiers.

We performed SSL MITM attacks against several of these applications to obtain the messages in the clear.

While this study is not yet complete, so far the findings show that many of these applications are using SSL to transmit UDIDs to a remote host.  For example, the “Mirror Free” application (http://itunes.apple.com/us/app/id379516970?mt=8) which emulates a mirror using the iPhone’s front-facing camera was decrypted and shown to be transmitting UDIDs to a remote host.  Here is the plaintext of a portion of the SSL conversation;  the UDID of the test phone is the string beginning with “b3d1bad” and ending with “d46b”.

00 01 00 05 65 6e 5f 55 53 00 00 00 0b 34 2e 30       en_US    4.0
2e 31 2e 38 41 33 30 36 00 00 00 01 00 00 00 98   .1.8A306
0a 28 62 33 64 31 00 00 00 00 00 00 00 00 00 00    (b3d1badxxxxxxx
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   xxxxxxxxxxxxxxxx
00 00 00 00 00 00 64 34 36 62 12 13 63 6f 6d 2e   xxxxxxd46b  com.
61 70 70 63 75 62 62 79 2e 6d 69 72 72 6f 72 1d   appcubby.mirror
00 00 00 00 32 09 69 50 68 6f 6e 65 33 2c 31 3a       2 iPhone3,1:
03 34 31 30 42 03 33 31 30 48 04 52 14 5d c8 f9    410B 310H R ]
23 42 65 ac e5 96 c2 6d 00 00 80 c0 7d 00 40 97   #Be    m    } @
47 58 c0 02 60 e0 03 68 90 01 70 02 7a 03 34 31   GX  `  h  p z 41
30 82 01 03 33 31 30 88 01 00 92 01 03 35 37 30   0   310      570
b2 01 05 65 6e 5f 55 53 00 00 00 0b 00 00 00 09      en_US
0a 05 08 c0 02 10 32 10 01 00 00 00 0c 00 00 00         2
00 00 00 00 0c 00 00 00 00 00 00 00 0c 00 00 00

We studied the following applications from our paper and confirmed they are transmitting UDIDs via SSL:

  • Bed Intruder Soundboard
  • Color Fill
  • Galaxy on Fire
  • I Bomber 2
  • Mirror Free
  • Mr.  Runner
  • Pimple Popper

In most of the cases where SSL was used, communication terminated on the qwapi.com network.  The SSL certificate used on the servers on this domain indicate the name of the company is Quattro Wireless.

qwapi-certificate

Quattro Wireless was acquired by Apple and is responsible for serving advertisements through the iAd system.  Quattro Wireless’s website went down after the acquisition, but the Wayback Machine cached the content.    In 2008 they boasted the following capabilities:

Quattro works with our agency partners to devise media plans to leverage our engaged audience based on partner goals and key targeting ideals: contextual, demographic information when available for both on and off deck sources, registration data, behavioral profiling and clustering. Targeting is available throughout the Quattro Network based on:

Channel, country, carrier, handset, time of day, Geo, demographic and mobile behavior across the Network

Standard Web advertising capabilities such as Frequency Capping, Pacing and Smoothing are available on a per campaign basis.

Sound familiar?

4 Comments :, , , , , , , more...

iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs)

by on Sep.30, 2010, under Group News, Presentations, Security

Executive Summary

In 1999, Intel released its newest CPU — the Pentium 3.  Each processor included a unique serial number, visible to any software installed on the system.  A product backlash quickly developed as privacy rights groups realized that this serial number could be used to track users’ online behavior.  The industry, along with trade groups and governments, blasted this new feature; many governments went as far as proposing legislation to ban the use of Pentium 3 CPUs.  Following the outcry, Intel quickly removed the serial number feature from their processor line, never to be re-introduced.

Fast forward a decade to the introduction of Apple’s iPhone platform.  Much like the Pentium 3, devices running the Apple iPhone operating system (IOS), including Apple iPhones, iPads, and iPod Touches, feature a software-readable serial number – a “Unique Device Identifier,” or UDID.  In order to determine if the privacy fears surrounding the Pentium 3 have manifested themselves on the iPhone platform, we studied a number of iPhone apps from the “Most Popular” and “Top Free” categories in Apple’s App Store.  For these applications, we collected and analyzed the data being transmitted between installed applications and remote servers using several open source tools.  We found that 68% of these applications were transmitting UDIDs to servers under the application vendor’s control each time the application is launched.  Furthermore, 18% of the applications tested encrypted their communications such that it was not clear what type of data was being shared.   A scant 14% of the tested applications appear to be clean.  We also confirmed that some applications are able to link the UDID to a real-world identity.

The iPhone’s UDID is eerily similar to the Pentium 3’s Processor Serial Number (PSN).  While the Pentium 3 PSN elicited a storm of outrage from privacy rights groups over the inherent risks associated with the sharing of such information with third parties, no such concerns have been raised up to this point regarding the iPhone UDID.  As UDIDs can be readily linked to personally-identifiable information, the “Big Brother” concerns from the Pentium 3 era should be a concern for today’s iPhone users as well.

The full report is available here:  iPhone-Applications-Privacy-Issues.pdf.

Update:  iPhone Privacy:  What about the SSL Apps? (10/5/2010)


49 Comments :, , , , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!