pskl.us

Following up on our story from last week, we looked more closely at applications which used SSL to encrypt communications between iPhones and remote servers in order to determine if they were transmitting iPhones’ unique identifiers.

We performed SSL MITM attacks against several of these applications to obtain the messages in the clear.

While this study is not yet complete, so far the findings show that many of these applications are using SSL to transmit UDIDs to a remote host.  For example, the “Mirror Free” application (http://itunes.apple.com/us/app/id379516970?mt=8) which emulates a mirror using the iPhone’s front-facing camera was decrypted and shown to be transmitting UDIDs to a remote host.  Here is the plaintext of a portion of the SSL conversation;  the UDID of the test phone is the string beginning with “b3d1bad” and ending with “d46b”.

00 01 00 05 65 6e 5f 55 53 00 00 00 0b 34 2e 30       en_US    4.0
2e 31 2e 38 41 33 30 36 00 00 00 01 00 00 00 98   .1.8A306
0a 28 62 33 64 31 00 00 00 00 00 00 00 00 00 00    (b3d1badxxxxxxx
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   xxxxxxxxxxxxxxxx
00 00 00 00 00 00 64 34 36 62 12 13 63 6f 6d 2e   xxxxxxd46b  com.
61 70 70 63 75 62 62 79 2e 6d 69 72 72 6f 72 1d   appcubby.mirror
00 00 00 00 32 09 69 50 68 6f 6e 65 33 2c 31 3a       2 iPhone3,1:
03 34 31 30 42 03 33 31 30 48 04 52 14 5d c8 f9    410B 310H R ]
23 42 65 ac e5 96 c2 6d 00 00 80 c0 7d 00 40 97   #Be    m    } @
47 58 c0 02 60 e0 03 68 90 01 70 02 7a 03 34 31   GX  `  h  p z 41
30 82 01 03 33 31 30 88 01 00 92 01 03 35 37 30   0   310      570
b2 01 05 65 6e 5f 55 53 00 00 00 0b 00 00 00 09      en_US
0a 05 08 c0 02 10 32 10 01 00 00 00 0c 00 00 00         2
00 00 00 00 0c 00 00 00 00 00 00 00 0c 00 00 00

We studied the following applications from our paper and confirmed they are transmitting UDIDs via SSL:

• Bed Intruder Soundboard
• Color Fill
• Galaxy on Fire
• I Bomber 2
• Mirror Free
• Mr.  Runner
• Pimple Popper

In most of the cases where SSL was used, communication terminated on the qwapi.com network.  The SSL certificate used on the servers on this domain indicate the name of the company is Quattro Wireless.

Quattro Wireless was acquired by Apple and is responsible for serving advertisements through the iAd system.  Quattro Wireless’s website went down after the acquisition, but the Wayback Machine cached the content.    In 2008 they boasted the following capabilities:

Quattro works with our agency partners to devise media plans to leverage our engaged audience based on partner goals and key targeting ideals: contextual, demographic information when available for both on and off deck sources, registration data, behavioral profiling and clustering. Targeting is available throughout the Quattro Network based on:

Channel, country, carrier, handset, time of day, Geo, demographic and mobile behavior across the Network

Standard Web advertising capabilities such as Frequency Capping, Pacing and Smoothing are available on a per campaign basis.

Sound familiar?