iPhone Privacy: What about the SSL Apps?
by Eric on Oct.05, 2010, under Presentations, Security
Following up on our story from last week, we looked more closely at applications which used SSL to encrypt communications between iPhones and remote servers in order to determine if they were transmitting iPhones’ unique identifiers.
We performed SSL MITM attacks against several of these applications to obtain the messages in the clear.
While this study is not yet complete, so far the findings show that many of these applications are using SSL to transmit UDIDs to a remote host. For example, the “Mirror Free” application (http://itunes.apple.com/us/app/id379516970?mt=8) which emulates a mirror using the iPhone’s front-facing camera was decrypted and shown to be transmitting UDIDs to a remote host. Here is the plaintext of a portion of the SSL conversation; the UDID of the test phone is the string beginning with “b3d1bad” and ending with “d46b”.
00 01 00 05 65 6e 5f 55 53 00 00 00 0b 34 2e 30 en_US 4.0 2e 31 2e 38 41 33 30 36 00 00 00 01 00 00 00 98 .1.8A306 0a 28 62 33 64 31 00 00 00 00 00 00 00 00 00 00 (b3d1badxxxxxxx 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 xxxxxxxxxxxxxxxx 00 00 00 00 00 00 64 34 36 62 12 13 63 6f 6d 2e xxxxxxd46b com. 61 70 70 63 75 62 62 79 2e 6d 69 72 72 6f 72 1d appcubby.mirror 00 00 00 00 32 09 69 50 68 6f 6e 65 33 2c 31 3a 2 iPhone3,1: 03 34 31 30 42 03 33 31 30 48 04 52 14 5d c8 f9 410B 310H R ] 23 42 65 ac e5 96 c2 6d 00 00 80 c0 7d 00 40 97 #Be m } @ 47 58 c0 02 60 e0 03 68 90 01 70 02 7a 03 34 31 GX ` h p z 41 30 82 01 03 33 31 30 88 01 00 92 01 03 35 37 30 0 310 570 b2 01 05 65 6e 5f 55 53 00 00 00 0b 00 00 00 09 en_US 0a 05 08 c0 02 10 32 10 01 00 00 00 0c 00 00 00 2 00 00 00 00 0c 00 00 00 00 00 00 00 0c 00 00 00
We studied the following applications from our paper and confirmed they are transmitting UDIDs via SSL:
- Bed Intruder Soundboard
- Color Fill
- Galaxy on Fire
- I Bomber 2
- Mirror Free
- Mr. Runner
- Pimple Popper
In most of the cases where SSL was used, communication terminated on the qwapi.com network. The SSL certificate used on the servers on this domain indicate the name of the company is Quattro Wireless.
Quattro Wireless was acquired by Apple and is responsible for serving advertisements through the iAd system. Quattro Wireless’s website went down after the acquisition, but the Wayback Machine cached the content. In 2008 they boasted the following capabilities:
Quattro works with our agency partners to devise media plans to leverage our engaged audience based on partner goals and key targeting ideals: contextual, demographic information when available for both on and off deck sources, registration data, behavioral profiling and clustering. Targeting is available throughout the Quattro Network based on:
Channel, country, carrier, handset, time of day, Geo, demographic and mobile behavior across the Network
Standard Web advertising capabilities such as Frequency Capping, Pacing and Smoothing are available on a per campaign basis.
Sound familiar?
3 Comments for this entry
1 Trackback or Pingback for this entry
-
Technology, Thoughts, and Trinkets » Do You Know Who Your iPhone’s Been Calling?
October 24th, 2010 on 2:51 pm[…] data Smith can determine the receiving host, but not what is actually transmitted to that host. Where traffic terminates at qwapi.com, the receiver is responsible for iAds, but it is less obvious who other receivers are, their […]
October 11th, 2010 on 6:19 pm
Hey mate! Your post rocks 😀 Blog just bookmarked !!
October 12th, 2010 on 2:53 am
HI,
Just wanted to break my Nasty habit of visiting your website Just reading and not participating! 🙂 I promise Ill post more!, heh 😀
Keep up theawesomework,
greetings from Amsterdam
February 1st, 2011 on 6:02 pm
To understand the textual content messaging capability of your iPhone, begin by including family and friends to your contact list. This way, sending and receiving text messages is easier.