eric smith report - amanda ladas vs. apple case

This is the 1s Affidavit ofEric Smith in this case andwas made on the 5ft day ofOclober,20't2,

Action No. 5112969Vancouver Registry

IN SUPREME COURT OF BRITISH COLUMBIA

Between:

And:

Amanda Elizabeth Ladas

Plaintiff

Apple lnc.

.Brought under the Class Proceedings AcI,RSBC '1996, c. 50" ndant

AFFIDAVIT

l, Eric Smith, lnformation Security, Networking and Systems Administration

Professional, clo Suite 302-1224 Hamilton Street, in the City of Vancouver, Province of

British Columbia, MAKE OATH AND SAY THAT:

1. Attached hereto and marked as Exhibit "4" to this my affidavit is a true copy of

my expert report herein dated September 2012.

SWORN BEFORE ME at the City ofjnn¡tø¡ø P4,in tne Cou¡rr' oí

¡/,oç7øuk , this Sntday ofOctober, 2012.

GenLiV9ST2laff#1 of Eric Smith

iOS4x Operating System Privacy Issues

Section L : IntroductionThis report was prepared by Eric Smith of Danville, Pennsylvania. My areas of expertiseinclude: information network design, information security, and analysis of electronic datatransmissions. A curriculum vitae outlining my education, certification, and experience isincluded as an appendix to this report.

Instructions Provi.ded ønd Nature of Opinion SoughtI was asked to prepare a report describing the methods by which the physical location of an

iOS4x device could be shared with outside parties including the Apple Corporation as it relatesto the report prepared by Francis Graf in connection with the Plaintiff's claims made in theAction.

OpinionMy opinion and findings are detailed in Section 3: Conclusions.

Reasons for OpinionThe reasons for my opinion are based on the findings outlined in this report.

AssumptionsThis report assumes an unmodified Apple smart device (e.g.,iPhone) running the iOS4xoperating system is used in a routine fashion by its owner.

MethodologyComplete details as to the methodology of investigations performedSection 2: Methodology.

Advice ønd C ertificøtionI certify that I am aware of my duty to assist the court and not be an advocate for any party, that Ihave made this report in conformity with that duty, and that I will, if called on to give oral orwritten testimony, give that testimony in conformity with that duty.

I am responsible for the contents of this report.

Respectfully submitted,

Exhibit "A"

<slgnature> Thrs rs Ixhrb¡t A " reierred to ,n lhe

in this report are included in

arrrrjavrt or Ladgs. -Vlanle,Lnc,sworn bero,e .,- r, Ð+L//iå.w.*n.Sunut u

Eric Smith

Eric Smithwww.pskl.us Kar€n C. Drumheller, Notary hrblic

Cooper Twp, Mqrto¡r Cor¡ntyconnission expircs Ianu¡¡v lL2016

20 l.a.

iOS4x Operating System Privacy Issues:An Analysis of Data Transmitted from an Apple

Device to the Apple Corporation

Re: Ladas v. Apple fnc.Supreme Court of BC Action No. 5112969, Vancouver

Registry

Prepared ByEric Smith

September 2012


ContentsList of Figures ............... ................... 3

Section 1: Introduction............... ......................... 4Instructions Provided and Nature of Opinion Sought....... ....................4Opinion .....................4Reasons for Opinion ....................44ssumptions................. ................4Methodology................ ................4Advice and Certification........... ......................4

Section 2: Methodology........... .............'..............5Phase One: Analysis of an Idle Device ........ 15

Phase One Analysis, Part One: Initial Phone-Home Analysis.. ......... 15

Phase One Analysis, Part Two: Periodic Phone-Home Analysis............... ..........23Phase Two: Analysis of IOS4 Communications during Device Usage........ ........26Phase Two, Part I: Installing Applications ................ .....26Phase Two, Part II: Downloading Media................. .......29Phase Two, Part Itr: Using Applications................ ........ 31

Section 3: Conclusions............. ......33Appendix... .................. 35Appendix A: Extraction of Geolocation Data from the WIGLE Database .........-... 36

Eric Smithwww.pskl.us


List of FiguresFigure 1: The iOS4x Device Studied...... ............ 5

Figure 2: T\e Laboratory Data Network ............... ............... 6

Figure 3: iOS4x Network Configuration Page...... ................ 7Figure 4: Proxy Server Configuration............... .................... 8Figure 5: PD( 515 Firewall Configuration............. ............... 8Figure 6: Generation of a RSA Keypair ................ ............... 9Figure 7: Creation of a Certificate Signing Request...... ...... 10Figure 8: Creating the Signed Certificate ........ I IFigure 9: Combining the Keys and Certificate ................... 11

Figure 10: The Initial "Install Profile" Screen ....................12Figure 11: Certificate Installation Warning Screen ............ 13

Figure 12: Trusted Root CA Installation Complete... .........14Figure 13: Connection to gs-loc.apple.com........... ............. 16

Figure 14: Security Certificate for gs-loc.apple.com.. ........17Figure 15: Data Transmitted to gsJoc.apple.com...... ,........ 18

Figure 16: Response from gsJoc,apple.com, Page I of 2 ......... ............ 19

Figure 17: Response from gs-loc.apple.com, Page 2 of 2 .....................20Figure 18: Ethernet MAC Address of the Cisco l23l AP..... ................21Figure 19: WIGLE Cross-Reference Data... .......................22Figure 20: WIGLE.net Locations of Access Points Found in the Apple Data .........22Figure 2l: Data Uploaded to iphone-services.apple.com.......... ............23Figure 22: Wtreless MAC Address of the Cisco 1130 Access Point.......... ..............24Figure 23: Periodic Data Upload to iphone-services.apple.com.............. .................25Figure 24: T\e iOS4 App Store.......... .............26Figure 25: Information Required to Obtain an Apple ID ............. .........27Figure 26: Logglng into Apple's App Store on the iOS4x device. ........28Figure 27: App Store Login and Subsequent Transmission of the AppleID and Password to4pp1e......... ..................29Figure 28: Purchasing music via the iTunes application ....................... 30Figure 29: Loggng into iTunes to Purchase Music...... ...... 30Figure 30: iTunes Login and Subsequent Transmission of the AppleID and Password to Apple3lFigure 31: An IOS Application using the iAd System ........32Figure 32: Relationships between Collected Data.......... .......................34



SectÍon 2: Methodology

For the investigations outlined in this report, an Apple iPhone 3GS running iOS version 4.3.3(Figure 1) was used. For the purposes of this study, a device with an inactive cellular connectionwas employed so we could insure that all data transiting the device would pass through the builrin 802.11 WiFit connection and not a cellular telephone network.

No s¿n lce â 1l:37 AM -

Songs

Videos

Photos

Applications

Capacity

Available

Version

Carrier

Model

289

89

14,3 GB

10.0 GB

4.3.3 (8J2)

AT&T 10.0

MC135LL

167

21

Figure 1: The iOS4x Device Studied

Note the "No Service" icon which indicates the absence of a cellular data connection.

To determine the extent to which location data was being automatically shared with Apple, a

wireless network was created in a laboratory setting so that any data transmitted via the device'sbuilrin WiFi radio could be collected and analyzed (Figure 2). The networking hardware usedin for this investigation consisted of a Cisco wireless access point model 1130 and a Ciscowireless access point model1231, both connected through a Cisco 3550 24-port Ethemet switchto a Cisco PD( 515 firewall. The PD( 515 was configured so it provided network addresstranslated (NAT)z intemet access to any devices which connected to the Cisco wireless accesspoint. Several Intel-PC based workstations were also connected to the Cisco 3550 Ethernetswitch so traffic ffansmitted through the wireless network could be analyzed.

t http://en.wikiped.ia.org/wiki/Wi-Fi2

http ://en.wikiped.ia. org/wiki/Network-address-translation



Figure 2: The Laboratory Data Network

By design, switched Ethernet networks do not permit the inspection of traffic by a monitoringstation. In order to bypass this limitation, proxy software was installed on the Intel-PC computersystems. The proxy software used in this investigation includes the Charles Debugging Proxy3,MITM Proxya, and Ettercap5. The Intel-PC computer systems ran the Microsoft Windows 7

and Backtrack Linux6 operating systems.

In order to direct network traffic from the iOS4x device through the appropriate proxy server, theiOS4x device was connected to the lab's wireless network. A static IP address and subnet maskwere configured as shown in Figure 3.

3 http ://www.charlesproxy.com./a http://mitmproxy.org/5 http://ettercap.sourceforge.net/6 http ://www.backtrackJinux.orgl


Ethernet Switch (3550) PIX 515 Firewall Intemet/\

z-_4r-

)

))

- \ t--/1___/

WiFi AP +2(l l 30)

IOS4x DeviceWireless Connection

Wiled Connection

Intel-PC S¡olkstation s

wiFi AP #1(123 l)

-.trEOE-EI: !c "

3?to


Forgel fhþ l,letwork

tP Adtlress

DHCP

lP Address

Subnet Mask

Router

DNS

192.168.254.111

255.255.255.0

8.8.8.8

Search Domains

. l{TTÞ ÞraYvFigure 3: iOS4x Network Configuration Page

In order to route traffic through the proxy server(s) for analysis, the iOS4x device wasconfrgured to use a proxy server as shown in Figure 4.



No Sen lce â 9:26 PM

Router

DNS

Searcir Domains

HTTP Proxy

8.8.8.8

off Auto

Server 192.168.254.1

Port

Authent¡cat¡on

8888

OFF

Figure 4: Proxy Server Configuration

The Cisco PD( model 515 f,rrewall was configured to drop any network traffic from the iOS4xdevice, other than Domain Name Server lookups. This prevented any trafhc from leaving thelaboratory network in any fashion other than through the configured proxy server. The relevantconfiguration of the PD( 515 firewall is shown in Figure 5.

Figure 5: PD( 515 Firewall Configuration

This configuration allows for the interception and analysis of unencrypted traffic. Much of thecommunications between an iOS4x device and Apple's servers is encrypted in order to protect itfrom eavesdropping and modification while in transit across the global internet. In order toanalyze those communications which are encrypted using the industry-standard Transport Layer


Manual

EIL¿b F¡Rðll PDO15 - s$irtcRfFile Ed¡t V¡ry options lranfer Script Toole ttfndou Help

JÐ :S q, Æ g É* A

E@

E. 11 12 Ro¡¡¡. 98 Cols VT1@

q E s És

iOS4x Operating S1'stem Privacy Issues

Security? suite of protocols, it is necessary to obtain a root certiñcate8 (root CA) which is trustedby the device to be studied. With such a certificate in hand, it is possible to bypass thisencryption ¡1fl s¡amine the plain-text content of such messages.

The process for creation and importation of a root CA is as follows. The OpenSSL suite oftoolse was used to create a 1,024-bitRSA publicþrivate key pairr0 as seen in Figure 6. Acertifrcate signing request (CSR)tt was then created from this newly-generated RSA keypair. Aself-signed security certificate was then generated in PEMr2 format based on the generated keysand the data provided during the creation of the CSR. The certificate and RSA keypair aresubsequently rnerged into a single file in PKCS 1 213 fonnat for use by the proxy tools.

IejsmiLlrßec2 23 2l-40 247 *]$,r¡rerr>sL Berìrsd -ouL ios4.keU 1024

GeneraLing RÍiÊ ¡;rivate keLr. 1024 biL lc,rrg mc'rltiltrs

"'t='OSS:; ((r:10001)

Ie jsmrthGec2-23 2L 40 247 -]'$ cat ios4.l..egBILìIII IìSÊ PRlVA f t KTY

I'lTTflXÊTBâflHBgttt ifrc2FlrpgsTsUQ+nr/S.[)xß3FiepzmkVS'1FTt0l'lll4ßrì8my:iTHAt4qImsXupZJDgclç¡B0Gv04BedRILNXLVN6CHVÌEIY+pr¡ET0G0+rrSl'lHKG3Frl5f,:xÊmIdBô1n6 tl'15Q50 Xc llf LsZrll/5U1b ¡0.rf k 5BJI z3B Zd I vSL t q V.jclCnlL I m6Qi,rI DrìQâBÊùlìfìJ+gVlljþl2rlcUqo3RPIclu0n0rHBnDhzB/6aif42l'lial-i3Z6mVffLrxa.rlG./*dpUS,r'/c lPb4FeQZt¡v I Y42HJb4ODorf qm4BSl;' ¡¡r /,¡l XmÊvQG -98 ,1Fl,l/Q LP,/oÊ+uL i oKelìtglNp00L0llej[iCbtxoCuYrllYaûStguPeXlI:JcY.:,gsìFszkCQQIIPNc¡mPJt(r¡Ixl'172trJg09vQlrrt'l[Ì<lx c¡5DsHk zeheZYNl SF lHfìnRx 5R S5 /e 7E C HYF QSro3TpNV5 x XB 7 m SL/udqqt'lG 1ÊkÊA ç¡l'1DB¡r l0mTur4m9Ac / /û4lJt Dl H3 r og<¡r ZHF i I K1;lrL lrnam /ÉìF x m T0f loqqt¡nSns :10{E go9XlVSeSZ¡+iVVFAF Ts3QJBAl4SC3B.jeRXBnE ¡IXp2/aeltdDbh54els08l'16¡>tLrS/¡rIrlLgpHtìe¡r9¡rìdgi3t¡:<,1auÊSQlc¡4X5a+onullvllif3l'lhBllQGhlmU /.ì jF 7 s r r dc ltlX4 rBI g ì ml'1Þ|1 tJN ZBL xÈm qGt. ll'l jNLlÌll',.itlNF- xLì1gc¡r Z I z tl ¡ Z N lg t [lQtr¡SlrFllgYD¡+7ot]pm.ìFCQBP9Qûek.r,loF'T.lFQl'l09lPT0xl:i201ìuFNl0utQv0lìì0.1k k k.1 G a D H a t¡ F 8 0 z F I u P Cp Xtr6R 3 P n /0,¡ 2 I tl h -ì l> <l u l, 9 v k 4 =- -END RSÊ PRIVÊTE KEY

IejsmiLlr@ec2-23 27 40 ?47 -]$

Figure 6: Generation of a RSA Keypair

7 http://en.wiki pedia.org/wikiÆransport-[-ayer-Security8 http://en. wikiped-ia.org/wiki/Root-certifi catee http://www. openssl.org/t0 http://en.wikipedia. org/wiki/Public-key-cryptogr-aphyI I http://en.wìkipedia. org/wiki/Certificate-sigrrhg-request' t http://en.wikipedia.org/wiki lX.509

| 3 http ://en. wikipedia. org/wikiiPKcS


iOS4x Operating S1's1sm privacy Issues

Eric Smithltww.pskl.us

[email protected] 21 40 24Ì "lS operr>:L r e.ì -rìed ket¡ ios4.ket1 -otr[ ìo¡4,trrYoL¡ are al¡out lo be asl erl to erìter i¡rlorm¡tion that u.iÌ-I he incorporaledittto gour certificate re(luest.I'lhat gotr are aboul tô érrter rs uhal i; c¡rllerl a Distrngrrishetl Name or a Dll ,

There are (luìle ¡ {eu frr.ìrlr bu'l yo,r,-an ìoave sLrme bìankFor some {ieÌ.ls there ur.lì [>c a dela¡rlt valL¡c-If gotr e¡lter - . -, the lielrl r¡ill he l':f I Ì¡l:.rtk.

Courrtrg Name (2 letter cocle) LXXI:CÈSLaLe or Province Name (full namei []:BCLocalii-g Nlmc (cg. citg) [Dcl¡ult Cì t r.¡ì:Varrcorrvcr0rgatrization Nane (c-g, com¡rarrg.r IDel.rulL tom¡rang f ¿¡l ]:pskl ,rrs0rganizatior¡al Llnit Name (cg. se<;t. lon) []:Commoll Nanre (eg. rlLìLrì- rrafiÉ or- (l(,uf ser ver': Itostnanre) []:Email A,ltlr ess [ ] :

Please errter t-l¡e folì otrirrg 'exi-ra' .rlLrib¡,¡Lesto be sent L,rrth gour certifrcate rerlresLA rhal I errge ¡rassuorrl [ ì :

Êrr o¡rtional com¡ra11U rrÃme II:

-__- BEGIN CERT]FIIfITE RÉQUEST-- .I'tllB{ zCBti0ILìAUtsAlt1ûsuCQYLlV0tìlìLr¡JDtlìtl l'lfìktìAlULCÊirCQkl'lxL jÊQLlgNVBAcIlC VZhl¡mNvdXZlc ¡E 0llA4 Gê1LlE[ìguHc HNr l;C 51c u C Brr zANB gk clhkiGSuOBAQt FrìÊCtBjQAugYkCgYEAon66Nhl,l6Y0Ll9Sl.PplLln0:0d0X,¡c5¡:FUtRCLì jFuAZ/JsUiÊADH.i.lrF BKI'ISQ4HcgUB rt¡+ PHr'LIXU zV¡r1T c ghl ZR C GP, ¡,;lr F 9B LPc¡6 * V lruht xTuRXflQJpXGctZ +rTûU0dF3F ng 7Ga 1v+ VNI'14 zmhZ0 QSSH9 ul,lXSL 0i 7,¡ I Y 3Q¡r S95ZtrkllCfluE lflalì lrHâ0tCSqûSIl;3DQtßß0Llf lÊ4 CiBÊJnLeA.l bur Yu,iR / XI.{0 LNPt3uRUc¡^2T,iPP o0 c¡u f !tig0sCYûec¡e0Pû¡f-,mlbl(rttDTl'l0rc9DerC0lJs.ll;5Dl¡iz5rJI:ll(Oe'JLl,lhNN'5l,lpYYCrvUZ3nXÊXR*f 00UGm.gL S!ì¡r.ìV\'0RoQ016.' jlll EVUE jmHul'lSFl,leSE0rlTmVluoe+sA71 i05__- __END CERTIFICÊTE RIOIIEST

Ie,jsmithf4ec2 2:3-2I-4Ô-i:47 "]$ cat r,r:;4. csr

le.ìsmith@ec2 23 21 4A 24ì -ls

Figure 7: Creation of a Certilicate Signing Request

10

iOS4x Operatìng S1'stem Privacy Issues

In order for the device to accepl and use those certificates signed by this newly-created root C,{,the certificate must be manually irnported into the device to be studìed and configured as a valid

Eric Smithwww.pskl.us 1l

L-19

JÐ A q z s É Ì1 ?

s:h2: AÉS-128 10, l1 25 Ro$,s,102 C"l, f]l{_

IejsmithGcc2-23-?l-40-247 -J$ o¡>crrssl x509 -clags 3650 -:ignkcg ios.l,kcg -in ios4.csr -rccl outir-'s4.crtSigrratrrr-e ok:ub jcct /C-L A /ST-BC /L-V.rnco¡ rvcr /0-¡rsk.l . rrcGel I i rrg Pri val e ket¡Iejsm-iLlr@ee2-23-21-40-247 -]$ mor e ios4.cr L

- -BEGINl]ERT_tltCÊ]t-----llT TB9 zC Cfil,llìC 0QDF u 7 r 1 g0,r c a zn NBgk(thk i GSU 0 BflQtJFttìBfìÌlQ s uCQYDVQQGF uJtl8T tLl'lAk ûA1Ut üAut Qk Ì'lxt ¡A QBgN V ù Acill VZ lrl¡m NvclXZI c j tQll A4 GAIUt I gullc llNrbU51c zÊel- r¡0x14 jA5ilLJYxNIJlllN I Jal- u0gl4 ¡ASl'llJQxNDlllN t Jal'lEAxC zÊJBgNVBAY I

r'\ k NB14Qs uCQYII\¡QQT U¡lJCQ z F S 14BfiG ñ 1 tJFBuu.lVm F r rY291dm VgÌl RfìuDgYD VQOHDfiduc 2 t sL n V zl'lIG f FlAott:ìqûSIbli0Qt BfìQUÊrì4 r:iNAD t ß iQKB gQCi I r o 2t bpg 5T 3sQ r nVSctxB3RepzmkVSlLIt0lll,l4Br'SmxSlAÊllqlnsXuplJUgtlytìQGvU4SedRfLNXLVNtìCHVì FIY+pUFTtrG0*rr5l.lHKG3F05FcxAnì rlB{ì1nGt I'l5Q50Xcl,l1l s/rll.z5tll b¡0nFl.5B JI z3BZdIvSL t r¡V.¡rlC rilLl mGQUIDAQÊBl'lfi0GCSt¡tìSIh3DQtßB0UAA4GBACf ql 1Ik0qbCUCm IrvPQrrgegvt¡lJL/9QIlBoRKkf rrJi+9 Ihf iel,l/Sn/XxNRpctr*UbldKiQXmrìVG0RBF j z lRgtCXkNE zFP0afN2ll>Y3vb/X20tl8cX2dL1mtDPl ¡liYBk 4JHrLrtoBs03J0It q Zl65SkVYt pl'l 7tlp ¡1Zk ¡¡TaELeSX x zh95mNNk-----t Nil ct Rt il tlÂtt-----Icjsmith@cc2 23-21-40-247 -].$ I

Figure 8l Creating the Signed Certihcate

JÐ àl qã sÉ*&9 ?

!slì2 AE5-I28 1.7. ll 25 Ræ110.? Col. '/T1m

ejsmitlrOec2-23-2I-40-241'-J$ o¡>etrssl pkcs12 -export -out ios4.¡>lx -inkeg ios4.l,.eg -itr ios4.crtnler Fxport Passuorrl:

Verilging frrter Ex¡>ort Passuorcl:Ie jsmi-th0ec2-23-21-40-24/ -]$le,jsmitlr@ee2 23-?1-40-?4/ -l$ more ios4.¡ilx

0 0 + rH+iift R 6ç ñ @ ûñòHi+iúyt¡oß c {ð à-t LõûLKòCñ^LY.l ix ". ^?'licL oiìo.Jcú t0cI.1i zÆòÜ1,/- >i 0 ÌÐ$ L$',Ò> irêõó=N ö;i/:¿il c èI0-óô¡'Ä>c+âoÞ"v^ Eir À

1U5S7' ; *:# õijPiô ¿0 â0 p('rñ. "RËS-PÌ i 6fi<- -c 6ÊNACó B C.F óf ;T ó¿0 ù * H ='L r H -l0 c0

Ic jsm-ith@cc2-23-21-40-247 - ]$Ie.jsmith@ec2-23-21-40-?47'']$ ls -l ios4.¡rl-x-ru r u-r'-- 1 ejsmiLh ejsmiLlr 1525 5ep b 10:3/ ios4.¡r1xIcjsmithGec2 23-21-40-24/ -]$[e,ismitlr@e,:2 23 21 40 247 ^]1' I

Figure 9: Combining the Keys and Certificate


root CA. On an iOS4x device, this is accomplished by viewing the "ios4.crt" file (Figure 8) inthe Safari web browser on the device. \Vhen the Satari web browser encounters a securitycertificate in PEM format, the "Install Profile" screen appears as shown in Figure 10.

Figure 10: The Initial "fnstall Ptollle" Screen

'When the user clicks "Install", the warning screen as shown in Figure 11 is presented to the user.

Eric Smithwww.pskl.us t2

Recelv€d Sep 1,2012

lnstaf¡


The authenticity of "pskl.us" cannotbe verified. lnstalling this prolile willchange settlngs on your lPhone.

Root Certificate

lnstalling the certif¡cate "pskl.us" willadd ít to the list ol trustedcertificates on your iPhone.

Figure 11: Certificate Installation Warning Screen

'When the user clicks "Install" on the waming screen, the new root CA is installed and trusted as

can be seen in Figure 12.

Eric Smithwww.pskl.us l3


pskl.us

OTrusted

Rece¡ved Sep l, æf 2

Contains Cert¡fbate

More fþtalls

Hißq'

Figure 12: Trusted Root CA Installation Compiete

With this conflguration in place on the iOS4x device, it is now possible to decrypt and analyzeany intercepted communications between the device and those remote servers owned or managedby Apple or its affiliates or contractors.


Profile lnstalled

l4

iOS4x Operatìng System Privacy Issues

Phase One: Analysis of an ldle Devire

In the first phase of this study, the iOS4x device being studied was powered on and immediatelyconnected to the laboratory wireless network. The device was subsequently connected to an ACpower supply such that the study could continue for a period longer than the device's batterywould otherwise permit. No further interaction with the physical device occurred after this pointof the phase one study. The device was allowed to remain undisturbed in this fashion for threedays, after which time the collected trafhc was analyzed.

Phøse One Anølysis, Part One: Initial Phone-Home Anølysís

Within seconds of the device's initial connection to the wireless network, it established a secure,encrypted connection to a remote server named "gs-loc.apple.com". Using the tools outlined inthe Methodology section, it was possible to decrypt this communication and study the contents.As can be seen in Figure 13, the device used |TPS method POSTI4 to ftansmit data to theserver at https://gs-loc.apple.com/clls/wloc.

ra http ://en.wikipedia.org/wiki lP OST -7o28VIPVo29

Eric Smithwww.pskl.us 15

iOS4x Oporating System Privacy Issues

Gartifi c.ate \fiewenþs.1lo,sqppter0ûrl . :'

Senerat I O.tuir, I

Tlú¡ certific¡te h¡¡ beer¡ yerlfled for fhe follwvlng user:

I SSt S.*.r Certificate

E¡ued To

Common f'lame (CN)

Organization (O]

Organiational Unit (0U)

Serial Number

BruedByCommon Name (CN)

Organization (O)

Organiætional Unit (OlÐ

llaEdity

ksued On

Expires On

fingerprhtrSHAI Fingerprint

MD5 Fingrrprint

gs-loc,apple.com

Apple Inc,

Ir¡temet Seruices

4C:18rEBr0A

Entrust Certification Authority - LlC

Entrust Inc,

rnnnnn¡. e ntru ¡t, n eUrp a ir i n c o rp o rate d by ref e re n c e

1û/4/2010

10/u2012

DFr6L4Cr2lr57:lAFLSBr2AE2rFl:FBrfl9:9ErÊ5:91170:50;T0;E1

C I ¡ I E ¡8 5r 9 F r 01 T 2:11 ¡ 9 B ¡ 0A 24. 6 D ¡ CA. C? r 40 ;E I E 0

The data transmitted from the iOS4x device to Apple can be seÇn in Figure 15.


Figure 14: Security Certificate for go-locapple.com

t7


- Ch.der 1.6.5 - iphont-updtting-mac-databðrê-09-03-12'

File td¡t V¡ew Pro¡), Toob \{ìndw Hclp

Su(ture I SêquÈh(Ê

É - htÞs://gsloc.¡ppl.,comE - dltl

_@3 ¡l nullrû

A ¡l htþ.//noti!2.dropboicomjû0i- r htþr,//iphone-:eruicer,apple com

= - h.y/pbcwloc

pb(wloc

- pbcwloc

pbcwloc

pbcwlo<

_ pbcalocpb cwloc

_- pbcrloc

- pbcudor

pb(wlo(pbcwloc

pbcwloc

pbcwloc

Header¡l Te* Uo l¡omj¡3gJ

00 0I 00 05 65 6e 5f 55 53 00 00 00 09 34 2e 33 eû Ûs 4.32e 33 2e 38,tô 32 00 00 00 0r 00 00 00 79 12 12 .3.0J2ùa I0 30 3ô 31 33 3ô 63 33 3ê 32 65 3a 64 62 3a oll3:c3rze:ùi34 30j.8 00 20 c0 0c 40

l--llE I

Rêoording l5!B ot2€uB

Figure 15¡ Data Transmitted to gs-loc.apple.com

Analysis of this data reveals that the iPhone being studied is transmitting the device's configuredlanguage ("en_IJS", United States English), current iOS4 version ("4.3.3.8J2"), and what appearsto be a MACr5 add¡ess ("0:13:c3:2e:db:40") to the "gs-loc.apple.com" server. A MAC address isa unique identifier assigned to an Ethernet device in order to distinguish it from any othff deviceon the network. As defined by the Ethernet specificationsl6, a MAC address must be globallyunique and may not be re-used on multiple devices.

Further investigation reveals that the MAC address being transmitted is the MAC address of thelaboratory's Cisco model I23l wireless access point to which the device is associated (Figure 18:

Ethernet MAC Address of the Cisco I23I AP (Figure 18: Ethernet MAC Address of the Cisco123t AP).

The response from Apple's servers, based on the uploaded data, can be seen in Figure 16. lt isinteresting to note that this response, which is in Google's Protocol BufferslT format, containsadditional MAC addresses. This is a partial download of Apple's crowd-sourced geolocationdatabase which is used to assist iOS4x location-aware applications in determining the device'sphysical locationrs. Apple's geolocation database maintains the mapping between the BSSID(wireless MAC address) of a wireless access point and that access point's geographic location.By submitting to Apple the BSSID of a nearby access point, an iOS4x device can determine its

r5 http ://en.wikipedia.org/wiki/lvfAC-add¡ess

'u htrp o2lBo2.3.htm:.t7 http col-buffers/tt ht,p 11/04l27{pple-Q-A-on-Location-Data.hrfü



approximate physical location by querying Apple's database. As is the case with most intemetcommunications, the pubic facing IP used by the iOS4x device is known by the remote serverand can be associated with the submitted or queried location data.


- Ch!d.r 1.6,5 - iphonr-updãtìng-ñ¡(-dðt b.rê-09-01-12

File Edit Me Proxy Toolr Wndr Help

xltallE l, htþÍ//9r-1o.,ôppl..(om

É t clh-¿

_@A ¡ nullr()

4 ¡¡ lìttp//hotify2.dropbGromr00G i htps//iphone-;eNicer.apple.com

E - hcy/pbcwioc

_ pbcwlo.

pb(wloc

pbr*locpbcsloc

, pbcrloc

, - pbc*loc

,_ pbcsloc

_ pbc*loc

_ pbswloc

pbc*loc

pbcwlot

_ pbcsloc

è5 0¡00000010 31 33 3a 63 33 3a 32 65 3Ã 64 62 3a 34 30 lZ lE l3¡c3r2e:ù:€0000002û 08 ù0 pS 90 9e Ot IO h8 æ Ad bd e3 Et ff ff ff

00000000 00 0I 00 00 00 0I 00 00 07 65 12 35 0a J0 30 3å

00000030 0I I0 2a 20 00 20 f0 0l 30 12 58 3e 60 60 a0 01 f 0 Þ'h0: 16:9c:92:000000¿t0 0b 12 36 0À f0 30 3a 31 36 3a 39 63 3À 39 32 3a 6

00000050 64 34 3a 34 3I IZ If EA 96 tr 90 9e 0f I0 el ba d4:4100000060 ad bd e3 tf ff ff ff 0l lA 2à 20 DO 2A rB Of 3i000000?0 12 58 3e 60 ôt 0I o8 0I 0I J.2 36 0ô I0 30 3è 3I )Ò' 6

33 3ô 35 66 3ô 66 61 3ô 36 64 3À 66 30 Ì2 lf 08 3:5t:far6d:f0æ da 90 9e 0f l0 e3 94 6d bd e3 tf ff tf Êf OI

(0O: I

LA 2a 20 OO 20 f9 0l 30 Ìl 58 31 60 a? 0l aB 0l06 f2 36 0a I0 30 3a 31 35 3e 66 66 3a 32 62 3a31 33 3a 65 3I 12 It 08 ê? f? 90 9c 0[ f0 bd 90

90 bd e3 ff 1Í ff fr DI 18 æ 20 00 28 16 01 30

0Þ 58 26 60 e? 02 Ê8 0I 0l 12 36 0a l0 30 3a 3Ì36 3ô 39 63 3a 39 32 3a 64 34 3ô 34 33 12 Il 08

96 d8 90 9e of ìo 9e a5 8d bd e3 ff ff tf ff 0l

( 0 x?'6 0r 15r ff:2b:

r(Xú' 6

6r 9c:92¡ d4: 43

IO lA 2h 20 00 20 fe 0l 30 14 58 25 60 ô6 0l d 0r 0 xt'Or2!t e8,bor20 011235 0s10303a3231 3a65383a62303a 5

30 30 31 3Â 32 63 I2 le 08 ec c2 ôf 9e 0f 10 cS cd êlrzc(0

50 0f 5829606a80I0b12370aII38343e64 XI F 1 A4rò62 3d32 66 3a 31 37 3À 33 36 36 38 32 12 Lf OA bt2trL1.36rezf3 d7 8f 9e 0f l0 ca Éa 9? bd e3 ff ft ff fr 0I182a200028fd01300e582860bI0Ia80I r f 0Xf'02 12 36 ûa Il 34 34 3Â 61 3? 36 63 66 3a 66 39 6 4:è?:cf:È93ô 31 65 3a 61 35 12 .le 00 fS b3 8É 9e 0f l0 f3 ¡le:es

98 bd e3 ff ff ff ff Ol lA 2a 20 OO 28 fâ Ol 30

â7 9A bd Ê3 ft ff ff fr Ol 1A 2å 20 OO 2A fd 0I

34 65 3a 37 66 3ô 5l 39 3ê 61 39 3a 34 32 12 IÍ ¿kr?É:agragrtlzIco 3009580c6035a80I06f23?oelf 32303a 0X'5 7 z0r

08 dD e2 95 9e 0f I0 fd fB ¿ Þd ê3 eE rÍ. tf fÍ01183620002ôrtf 0Ì3006582860e?01ú 6 ( 0Xl'0l 06 12 36 oa Io 30 3a 32 32 3a 37 35 3e 65 31 6 trzzrlsreL3a 62 32 3a 34 65 12 lf 0ô 8c 8c ff 9d 0f t0 dg rb2.4ecTf0bce3fftt fftÍûI 18 30200028 al02 0 (

300e5833609201ú01û112350Â10303a 0h' 5 0:31 35 3a 66 66 3â 31 39 3e 32 65 3a 62 63 12 Le l5:ff:f9:2e:bc08 (U ù fe 9d 0f I0 r€ ae f0 bc e3 Ír îi tÍ ff

lnnnn26n nl lfl 2Å 2î nß 2ñ 9Å n2 ?î ll 5fi tf 6n 52 ¡n nlHradÊõlTe Hu lRûl

nx'R

æÍB ot24YB

Figure 16: Response from gs-loc.apple.com, Page L of 2

l9


; Clrrrlo !.6.5 - þhoe4ddiñ9-m¡(-drt bö!.09-0ìIIFil¡ Edit Ms Prory Tools Windw Help

E

E Lt htþr.//gr-lo(.apph.<omEl t cll5/

GE 5 nu¡l:l]

G - hfrpj//ñoüry2.dropbotcomr80

B ¡ hnpÍ/¡phonê-reMcêr.èpple,comE - hcyl

pbcwloc

pbilloc_ pbcrloc

_ pbcwloc

__ pbcslo(pbc*locpb.wlüpbrrlocpb(wlo(

_ pbcwloc

_ pbcrlorpbc*lo(pbcwlo(

08 89 el cb 9e 0f l0 a6 9d e9 bc e3 tf ÊE ff ÍfOL LO 2a 20 00 2ô e9 0I 30 0b 58 2f 60 ?4 ae 0l06 12 36 0a L0 30 3¡ 31 31 3a 35 30 3À 35 39 3À

66 34 3a 39 35 I2 lf 08 ü ù dd 9d 0f I0 9f eÂ

b9 ùd e3 ff ft ff ff 0I IA 35 20 00 28 fc 0I 30

0â 58 3e 60 0c 0l d 01 0¡. 12 36 0ô II 35 63 3a64 61 3a 64 34 3Â 66 62 3ô 62 34 3ô 38 3? 12 1ê

08 cd c2 c3 9e 0f l0 e2 c? al8 bc e3 fÊ fE u ff0L ¡8 2a 20 00 20 eb 0I 30 0c 58 29 60 22 øß Ol0I L2 36 0a I0 34 34 3a 61 3? 3a 63 66 38 3? 3a36 62 3¿ 32 30 Ì2 ff 08 ff 18 fc 9d 0r I0 86 bsdfì bc e3 ff ff fÉ ff 0l Ì0 2e 20 00 Z8 bd 02 30

0d 50 29 60 06 03 ð0 0l 0l 12 3{ 0a 0É 30 36 31

35 3À 66 66 3a 36 3a 65 30 3a 61 66 l2 Ie 08 üc2 cd 9e 0f l0 d3 ec f5 bc e3 fÉ ff ff tE 0I l82d 20 00 28 lÂ 01 30 0d 58 24 60 23 eA 0l 06 12

35 0ê 0f 30 3e 31 32 3ô 65 3ô 31 61 3Â 61 65 3a39 3I 12 Ii 08 ea bd d3 9d 0f l0 fB 8e cZ bd e3

fl lf ef tf 0t I8 32 20 OO 2A A2 02 30 0c 58 2a60 ¿5 0l a0 0I 06 12 36 0a l0 38 3å 38 36 3À 33

62 3a 33 63 3a 63 31 3a 34 6l 12 IÊ 08 88 eZ d0

9d 0f 10 fZ cI cl bd e3 EE tt ef. f.t 0I 18 30 20

i0 28 82 02 30 0b 50 3e 60 88 02 BB 01 06 12 36

0ô l0 30 3¿ 31 63 3a 31 30 3a 31 34 3a 62 33 3è61 63 12 If 08 h4 82 ca 9d 0t l0 d7 a0 ca bd Ê3

ff ff 1Í tf 0l 16 2f 20 EE 2A A6 02 30 0b 50 3e

60 df 0I ê0 0I 06 12 3? 0ê U 33 30 3ô 34 36 3À

39 61 3a 33 63 3a 34 65 3ô 64 3t rZ rf 08 bd 89

98 9e 0f l0 d d ddbd e3 Êf fr Ít ff 0I Ì8 68

2O OO 28 eg 0J, 30 Ia 58 20 60 8e 02 ôE 01 01 l236 0ô J.0 30 3a 31 65 38 65 35 3B 66 33 3ô 3? 663a 35 66 12 lf 08 ec 99 9c 9c 0f I0 bè e0 cl bce3 ft ff ff ff 0I .10 5? 20 00 28 8e 02 30 0e 58

3e 60 €0 02 rô 0I 0l 12 36 0ê I0 30 3a 32 32 3a33 66 3a 61 30 3a 64 66 3t 66 34 12 lÊ 08 c2 d8

ü 9e 0f I0 d ù4 ù bd ei Îf n tt ff 0I I8 2e20 OO 2A 92 02 30 0e 58 28 60 ü 0l d 0ì 01

H.adêr'lTd Hd l@J

5d0

5e0

5t0

6

f4r95

( 0 x/'ç0: IIr 50¡ 59r

s l0)C' 6 5c:

dâ: d4: ö: b4:8?

6

6br20

( 0 x)'.4átúrclrlr

'(0Xl ' 4 0!.!

5: ff:6: e0: ú

I 0 xç't0:.I2: e: la: ae:5

9t00000630000006æ0000û65000000660000006?t0000068000000690000006il000006ù0

2 | OX.' 6 8:86:3b: 3c: cI: &

0( 0x8' 6

0:1c: I0:14: b3:

/ ( 0þ' 1 3ir46r9e:3c: ft:ù

h

( 0x6 0: Ie: e5: t3: ?!:58

s { 0x>' 6 0rz2r3f : a0: ff: E4

æuB d4ua

Figure 17: Response from gs-loc.apple.com,Page 2 oT 2


iOS4x Operaring S1's1sm p¡vacy Issues

i"? Ð'Æ E I ii=¡ rÊ q I EÞ.ã, Ðl É f"Ì I I E I,t¡,;l

[$ rez.rre.zs+u7 - SecureCRT EE

Fì2:AES-128 fE-e EsÈo\,'Æ, e8c-ok twtoo -f -[- ¿Figure l8: Ethernet MÄC Address of the Cisco 1231 AP

In order to verify that the data received from Apple contains information about nearby accesspoints, the publicly-accessible wireless access point location database known as WIGLET9 wasqueried against the MAC address data present in Apple's response. Seven matches were found (

¡ßC (lêst 2 þztes)'Zfrf

d,h,b2bb9æ

076e

f495

æ91

Armage

Stadard h¡iaticn

Latitt-de40.8W452r40.88700485

40-æ444'733

40-8924173a

40.æ1260040-88909p40.8%M'76

40.8915æ04

o.0DÆ6454

LGgrU-de

-:76.5T839r-7

-:76.5%2%4-:76.%989288

-76.56638391

-'76.%3L6376

-76.55799103

-76.5558427-16.%38352o.æ'797128

re http://wigle.net/



Figure 19) which corresponded to access points within the immediate vicinity of the location ofthe iOS4x device being studied.

Since the WIGLE data is sourced from individuals who record locations of wireless access pointsas measured from a moving vehicle, a technique known as "wardriving"20, it is not surprisingthat the locations reported fbr these access points are along a major roadway. Apple'sgeolocation database is comprised of data collected by mobile iOS devices and would be ofsignifrcantly greater precision. It is clear from this result that Apple, by way of this queryinechanism, is aware of the physical location of virtually every iOS4 device.

l,nc (l.ast 2 k:^ltæ) Latiü-de i,GÐ:i-tuè7f5f rc.8Ð45221" 16.5T83971c14a 40.88700485 -:76.5%?2%4

wb 40.89444733 -:t6.%9æ2æb9æ $.B92M3I -76.56638391o7æ Q.æL7I6æ -:76.%31:63'76

f495 40.8æ054æ -76.55799103ae91 Q.ffiM16 -:76.555U-L1

Alerage 40.89150804 -:76.%38352.

Stardard h¡jd.iør g.00a56aq O.æ79-n28

Figure 19: \ilIGLE Cross-Reference Data

20 http ://en.wikipedia.org/wikiAMardriving



Figure 20: WIGLE.net Locations of Access Points Found in the Äpple Data


iOS4x Operati n g isystem Privacy Issues

The physical location of the test device is marked with a red and white star in

Figure 20.



Phase One Annlysis, Pørt Two: Periodic Phone-Home Analysis

Following the initial communication with Apple, the iOS4x device remained idle for a period ofsix hours, at which time it established a new connection with a different remote server. TheiOS4x device sent an encrypted transmission to "iphone-services.apple.com". The contents ofthis message were decrypted and can be seen in Figure 21 . Similar transmissions, of somewhatvarying sizes, were subsequently sent lo the same remote server every six hours (Figure23).

Figure 21: Data Uploaded to iphone-services.apple.com

This communication illustrates how Apple's crowd-sourced V/i-Fi database is created andmaintained. The data transmitted appears to be a superset of the Wi-Fi location data downloadedfrom Apple during the initial check-in as described earlier, combined with unique wirelesslocation data coìlected by the parlicular iOS4x device. For exarnple, the MAC address of theCisco 1130 wireless access point used in the laboratory network (Figwe 22) is present among thedata submitted to Apple, as can be seen in the highlighted section in Figure 21. The physicallocation of this new access point is now known to Apple and can be used by subsequent iOS4xdevices via MAC address lookup to determine location. As in the earlier case, the public-facingIP used by the iOS4 device is known and can be associated with the submitted location data.


ú Chà.leJ ?,ó,5 - rphúne updôt¡no-môc-d¡rôbôr.-0! 0l 12

Sìructurê | Srqucncr

E l¿ httpr/gJ lo(,appte.com

Owrvìaw RaquaJt lRÊsponsr Ch.rt I NotêJ

00 0l 00 05 65 6e 5¡ 55 53 00 00 00 09 34 2e 33

2e 33 2e 3A 4B 32 00 00 00 64 00 00 Iê l2 0a -tb0â 0s 4e 38 38 41 50 12 12 69 50 6e 6É 6e 65 Z0

4E 53 34 2e 33 2e 33 2t 36 4a 32 la ¿le 0B II 3434 3a 61 31 3a 63 66 3s 32 31 3a 39 66 3s 34 35

l0 02 3Ê û0 lB â4 Ef ff tt tt tf fr ff ff OI 22

2â 09 f? 3d eô ôf d? ?2 44 40 l.l 93 cS fd 4? 26

24 53 c0 Ldb6 b6 98 4 49 32 00 40 ee 42 E4Ds41 2d ôc,19 0? 42 35 td 59 e2 42 lô,td 0ô l0 30

3€ 31 36 3a 39 63 3â 39 32 33 64 34 3a 34 3I .t0

0r 38 00 l8 bc ll Êt ff ft ff ff ff lf. 0L 22 2609 É? 3d ea aE d7 7? M tr lI 93 c5 fi 4'l 26 24

53 c0 ld ba b6 9B 42 49 32 00 fi êÊ & t4 bS 4l2d ac 49 0? 42 35 Éd 59 ê2 42 Iô 4d 0a t0 30 3ô31 33 3ô 63 33 3Â 32 65 36 64 62 3ô 34 30 .t0 0b

38 00 LB cl iÍ ff Ef ff tÉ ff Éf tf OI 22 2e 19

a7 3d ea ú 17 12 44 4 I¡. 93 cS Êd 41 26 24 53

c0 ld bâb6 98 42 49 32 00 40 ee 42 f4 bS 4I :ac 49 01 & 35 fd 59 e2,U Ia 4d 0a 10 30 3a33 3a 35 66 3a 66 61 3a 36 64 3a 66 30 lO 06

00 l8 d? ff fE ff €f ff ft ff tf 0l 22 2ã 09 t3d èû ôf d? ?2 44 40 ll 93 cS fd 4? 26 24 53 c0ld bâ b6 98 42 49 32 OD 40 ee 42 f{ bS 4l Zd €c49 01 42 35 td 59 eZ 42 la 4d 0a l0 30 3a 31 33

36 63 33 3a 32 65 3a 64 62 3a 34 30 lO 0b 38 00

18 bf tf ff fl tr tt tÊ. Ít lî OL 22 2a 09 e? 3deå af d? ?2 44 {0 ll 93 cS td 41 26 24 53 c0 ldcl df 3d æ 49 8â ?? ¿10 2d .13 É4 b5 { 2d âc 49

07 {2 35 df 8f €c 42 .Lâ 4d 0ô t0 30 3ô 3t 36 3a39 63 3ô 39 32 3d 64 34 3a 34 3l l0 0t 38 00 IAc4 e.î Êt e.f ff fC ff ff fe Ol 22, 2d 09 f? 3d eeaf d7 72 M 40 lI 93 c5 fô 41 26 24 53 c0 ld ctú 3d 42 ¿¡!, 8à 77 40 21 43 f4 b5 41 2d ac 49 07

42 35 df 8f 8c 42 Ìa fr 0a l0 30 3a31 33 3a 35

66 3a 66 6.1 38 36 64 3a 66 30 1û 06 38 00 18 d6

ff ff ff ff fÉ ff ff ff it 22 2ã 09 f? 3d êa ôfd'I '12 44 4Ð l¡. 93 cS td 4'l 26 24 53 c0 ld cl ôË

3d 42 49 Ba ?? 40 2d 43 f4 b5 4l Zd ac 49 E? 421S df flf 4.42 ìâ 4Þ ni lì 34 i4 3ã 61 3? 1â 63

Headêrt I Text H¿¡

lolElr13tile Edit Viêw prol/ Tool5 WindN Help

5 Þ clli/wloc

Iti ø null{)

El ui http://ñot¡ry2 drcpbox rom:00

É L¡ hfrpr.//¡phone-5erurcer apple com

â lZ h.y/

ffipbcrlo(

- pb(wlocpb(wlocpb.wloc

_ pbcrloc

-_l pbcwloc

p b(rlocpbfrloc

-- pb(rlorpbcwloc

pbcqlo.pb(wlo(

en IJS 4.3.3.8J2 d

l¡88ÀP iPhoÀe0s4.3.3/8J2 ¡¡ 44: a?: cf:21:9t: 45

rDE G6

çS BI2ßBÀ-t85YBU 0

i 16 i 9c! 92! d4! 4lI "1. rD8 Orç

5 BI2EB À_IE5YEI O:

13: c3 l 2e: db ¡ 40

I "i

= rDB Gêç5

I85YBn O:l3:5f: få: 6d: f0 6

= tDB 0a€5BI2CD À-

I85YBH O!I3:c3:2e:clb:4¡0 I

rD8 C¿Ês

=Bl ùe-C À- ID5 D I 0i.I6:

9c:921d4:4I I

rDB G4ç5

=EI ù8-c À- IES B X 0:13:5i: fa:6d: l0 B

tDB GéÊS

.8I u8-C À- I BS F t ¿¿!a?r.

IO20

1n

I80t90

?o

34MB oi æMB

25


l-,= ll E ii x I

Figure 22: Wireless MAC ,A.ddress of the Cisco 1130 Access Point



B ytes Transmitted to http s : //iphone- s ervices. apple. com8000

7000

6000

5000

4000

3000

2000

1000

0

9l3l2Ùl2Ù:00 9l3l2Ùl2l2:00 914120120:00 9141201212:00 915120120:00 9151201212:00 916120120:00

Figure 23: Periodic Data Upload to iphone-services.apple.com

E¡ic Smithwww.pskl.us 2',1


Phase Two: Analysis ol IOS4 Comtnunications during Device Usage

In this phase of the investigation, the communications between the iOS4x device and remoteservers was studied while simulating routine user interaction and use of the iOS4x device.

Phase Two, Pørt I: Installing Applicøtions

On an iOS4x device, software applications, commonly known as "Apps", are purchased andinstalled by launching Apple's built-in "App Store" utility.

No Servlce â 8:¡lil PM

In order to install any applications on an iOS4x device using the "App Store" utilit¡ the usermust log in with his or her "Apple ID". In order to obtain an Apple ID, the user must provide hisor her e-mail address, name, mailìng address, and date of birth to Apple (Figure 25). h order tomake purchases in the App store, a user may elect to enter payment information, such as a creditcard or a pre-paid Apple iTunes gift card number.


Figure 24: The iOS4 App Store

28

'*AàË

ù¡|*d4tuhHE4dæ*¡ftßSÉllÊrl*li@Èú&ShÞaÞ¡

ib.'ùh¡úøæb.æ tur4É¡ dÉ.

kid brr4urù*G

ir.qld ¿e: úd¡érr.EeÈ. *è!rr{ É.rc &!r ñèrt *¡! æÉ.ß rñ tú c. +..r!n .tuJ6lar b ¡! ârÀdg¡ f a! ú¿ùr r,æ: f.!

tl@ rF. æõfIG fúr k h dic.h¡tawir-

6trSB crõ¡tu4---------__l

.,**;;:Ï;r,Éúhd*.*hh

c¡n(d

Inlbrmation Requiteil to ObtåÍn an.Åpple ID

EI

iOS4x Operating Sysæm Privacy Issues

Figure 26: Logging into Apple's App Store on the iOS4x device.

The user-supplied Apple ID and password are transmitted via HTTPS to the server"p12-buy.itunes.apple.com" \ì¡here they are verified before the requested application istransferred to the iOS4x device. As in the earlier cases, the public-facing IP used by the iOS4xdevice is known and can be associated with the submitted AppleID and password.



¿ Ch¡rlerl,6,t-srrr¡on5 -ltrl¡JF¡le Ed¡t V¡ew Proly Tools Window Help

xÐ i¡¡i tvZBqy.woa/

E ¡l ÌvZFaiFinance,rca/

E ¡¡f http://ax.inititunes.apple.com

E fi httpr//metric:.apple.com

E r¡i http//a1l06.phobos.apple.comO ¡! httpr//a130i.phobor.apple.com

E I¿ https/p12-buy.ituner.apple.com

El EJ WÊbobjectr/g Þ MzF¡nðnce.woa/

EÞw¡/

Recording St rlêd Reoordlng 24llB ol 2ttBMB

Figure 27: App Store Login and Subsequent Transmission of the AppleID and Password to Apple

Plnse Two, Part II: Downloading Media

On an iOS4x device, media such as Írusic, movies, and television shows can be obtained usingthe built-in "iTunes" application (Figure 28). The iT\rnes application uses the same Apple IDand password as the App Store and uses the same back-end servers and rouúnes to process a userlogin. When auser chooses to purchase a song or video, he or she is prompted for the Apple IDand password (Figure 29). The Apple ID and password are transmitted to Apple (Figure 30).Once verified, the purchase is processed and the download to the iOS4 device can begin.



No Servlce â 12:11 Pil

lmaglne DragonÊ

Nbht VlsionsGsror

^JtemativeR€leased: Sep O¡1,20i2t4 lt€ms

iTS6Ratings xxxxr

1 Redo¡clivc

2 lpbr

3 frr¡ Îi¡rr

¡l Drmona

Figure 28: Purchasing music via the iTunes application


Figure 29: Logging into iTunes to Purchase Music

32

iOS4x Operaring System Privacy Issues

; Chales 3,6,5 -iitunrr-login*

Filt Edit View Pro4y Tools Window Help

Figure 30: iTunes Login and Subsequent Treñsmission of the ÀpplelD and Password to Apple

Phnse Two, Pørt III: Using Applications

Many of the applications avaiìable for the iOS4 device are adverlisement-driven and providedfree of charge to the end user. In-app advertisements are typically in the fonn of a smallgraphical banner displayed to the user while the application is being used (Figure 3l). Theseadvertisements are typically served to the iOS4x device from one of a small number ofadvertising networks, including but not limited to Flurry2r, TapJoy22, and Doubleclick23. Appleentered this market in January of 2010 with its acquisition of the mobile advertisement provider

Quattro Wireless2a, rebranding the advertisem nt network as "i4d."25 Note the "iAd watermarkin the lower right of Figure 3 1.

2 | http://www.flurry.com/flurry-anal1'tics.htmlt' http://www.tapj oy.co rn/¡ http://www. google.com/doubleclick/v

'* http, //ne.s. cnet. com/83 0 f - f 3 5? 9-3 - 1 0 425 465 -3'l .hantl6 http ://advertising.apple.com/


É L¿ httpi//pU-buy.¡tune5.ôpplÊ.com

JJ


Figure 31: An IOS Applicationto using the i,A,d System

Previous studies have shown2? thatmany of these advertisement networks, including Apple's iAdnetwork2s, rernotely collect the iOS4x device's unique device identifier, or UDID, whenever an

advertisement is viewed. The UDID is akin to a serial number and uniquely identifres a particulariOS4x device.

26 http://itunes.apple-com./u sl applid37 9 5 16970?mt= 8t? http ://www.pskl.us/wp/?p=47628 http://www. pskl.us/wp/?p=48J



Section 3: Conclusions

Considered individually, the numerous communication paths between an iOS4 device and AppleCorp. do not provide a direct correlation between a user's real-world identity and hìs or herpresent physical location. The geolocation queries discussed did not include any data regardingthe device or user identity; those subsequent queries which included user or device identity didnot include any geolocation data.

ff a single entity, however, has access to all of the communications considered in this report, it isa trivial matter to tie geolocation with an iOS4x user's real world identity. Ignoring the use ofsophisticated behavior profiling technologies now in widespread use, it is possible to performthis correlation by simply considering the public IP address of each of the communication paths

considered in this report.

By referencing the public IP address used by the iOS4 device when it performs its initialconnection to the server "gs-loc.apple-com", subsequent communications with Apple Corp. fromthis IP address can be tied to a physical location. This data is kept current by the iOS device'sregular check-in with Apple geolocation servers (Figure 23).

The use of the App Store or iTunes from this same IP address provides Apple with real-timephysical location inforrnation about the user, whose real-world identity is already established bydata provided when the Apple ID is initially created.

Eric Smithwww.pskl-us 35

['lnir¡rr' I)evicc.ldc'ntifìc'r'

iOS4x Operaûng System Privacy Issues

Figrrre 32: Relationships between Collected Data

It is clear from the data examined in this report that Apple routinely and automatically collectssufficient information such that they can identify the real-world identity of the registered user ofan iOS4x device, as well as the device's physical location, at an update frequency of no less thanonce every six hours. (Figure 32)

E¡ic Smithwww.pskl.us 36



Appendix

37


Appendix A: Fxtraction of Geolocation Data fromthe WIGLE Database

C W'rcL.E - Yfúdess cêogaphic toggirE f.rEiE - Serch tlå¡o.ts REh - Mdta Érlo¡ il .r¡* .

'*. ffin'rffi!¡ff.* #¡ffi.Jþä* .lüFÈ.ÊwrulÈ - wrrdÉr úÊo96PnK Lo99n9 È...

' G ¡ fl. coai. 2Hmê t llomlmd t Fñß t Po{ F¡le l fb¡g t ScHCrots l S@ l lþloâô t Wèb I'p! l ll.pPicllflrs l W¡ti l tigùt

shoûlng stetons t Ûlrouglt 1 ofllts qæfy.

J UrreU - Wirtes Ceogaphk l¡gg¡rB trigiË - SE.ó t¡cùülc R.{h - Mdlã Fúo¡ l}. _+

æ, rffi jffifltr#

t ¡ hflp:i/wi9lènd.'qprrgp:inr3n,.cn{¡rnrluÉri,;. c .l- co¡i. P

Shoulno stalions 1 through I dlhiB query


iOS4x Operatin! Syslsm Privacy Issues

Search Resulls:

(Ð- " E'

showlng statons 1 trforjgh 1 ofllts quefy.


Ele Edit {Ð HiÉot 0@trE.¡f Iæb Hdp

I

C C hftpsr,MglènÊt'gp!gpj:nì¡rtrcênl:rnìquÉrÍ' c I ål- c*st P I E¡- 9-

3e¡rch Results:

@-" a

Shoring statons I lhrough I of lhß qæry.

39



Eh Edil ![v tr$ory Ê@bErl6 I@b Udp

I

C + ¡ http3,'f,,igle.nÊt¡gp:'9F!rrì¡rniccnfrmquÉ¡,1 P ì EI- C-Hme lllomlo.d tForum tPosr FflelOrs! | SsH¡sìolsl Strlrtü¡loûds lweb l.pslllöpPaù¡ttê¡Wtt¡ tlogdt

têârEh Results:

19- * E'

Shouing sl,atims 1 throrlgJr I of üÈs fl€ry

IYGU Hme

Eh Edil 5e Hir¡ory BoobD.b I@b ddÞ

C I C hfrp: wigle¡€,qÞ: qp: rn:in':cn[rnìquÉn,/ C .ll. cøcre P i El- e-Hme I O,omloid I Fmß I Pod Fìle tOlEtt Sm$ors I Stab I U0lmð lWeb llpsl l¡aoPachflfeéllMtí lLogout

3êarch Rêsults:

@-' a

Shoting stetlons I lhrqrgtt 1 oltfts query.

IYGLI llofr

40


3€afch Resr¡lts:

19. * a'

Shiling slations I trrorJgñ f of ft¡s qu€ry

lficLf 8mê

Sêa?ch Rêsultl:

@-' a'

shoülng slâtofìs I ûtfougn I oflhts quefy.

lf6lf lmê


iOS4x Operating Sl,stem Privacy Issues

E¡ic Smithwww.pskl.us 42

Eric J. Smith48 Mutchler RoadDanville, PA 17821

(s7o) [email protected]

I n d u stry Ce rtifi cati o n s :

. Cisco Ceftified Network Professional (CCNP)

. RedHat Linux Certified Engineer (RHCE)

. Microsoft Certified Systems Engineer (MCSE)

. Ceftified Novell Engineer (CNE)

Employment History:

Assistant DirectorInformation Security and NetworkingBucknell UniversityLewisburg, PA

December 2OO3 to Presentwww.bucknell.edu

redhat.CERTIFIEDENGINEER

Identified, developed, designed, and implemented creative solutions to the computer, communicationstechnology, and information security needs of the University community. Managed our team of networkengineers and student employees.

Oversaw Bucknell University's network infrastructure:

o Responsible for the design, installation, maintenance, and growth of the University's global datanetwork, which consists of over 1,500 managed network devices connected by 500 strand miles ofoptical fiber. Managed technicians, work groups, and project teams.

. Designed and installed a fully-redundant network architecture, including active-active router pairs,firewall clusters, and multiple independent upstream provider links.

. Managed the implementation of a $416,000 Department of Education grant for the expansion ofmobile services at the University. As a result of this grant, and continued support by the University,99o/o of the University campus -- indoors and out -- is covered by a robust, fault-tolerant802. 1 labgn wireless network.

. Developed, tested, deployed and assessed technologies to provide secure, seamless remote accessto campus resources, including voice, video, and data. Because of the seamless connectivity, theUniversity has been able to support and actively recruit for telecommuter positions in several keydepaftments.

. Developed software and hardware to automatically detect and disable rogue wireless access pointsconnected to the campus network.

. Served as project manager to design, develop, and deploy an IP Multicast solution for a 60+channel subscription-based cable television system for the campus.http : //www, bucknell.edu/x961 1.xm I

Managed the University's information security program:

. Designed, configured, and installed intrusion detection and prevention systems.

. Served as Bucknell University's senior information technology security specialist. Providedleadership for the University's IT Security Group. Prioritized security-related projects.

. Developed policies, standards, and best practices for the University regarding all aspects ofinformation securíty. Made recommendations to senior University administrators on matters relatedto information security.

. Served as technical lead for all information security issues on campus. Performed vulnerability andpenetration testing, security analysis, and remediation.

I

. Oversaw regulatory compliance (PCI) for credit card systems and transactions. Served as projectlead and worked with external auditors,

. Authored software to automate management of virus-infected client machines (Quarantine) andInternet bandwidth abusers (RBZ). http://www.bucknell.edu/x9973.xm| Also featured in aSecurityFocus afticle: http://www.theregister.co.uk/2OO4/O9/L6/academia_battles/

. Worked with the FBI, incidents.org, and representatives from other universities in the constantbattle against botnets.

. Performed security analysis -- physical and logical -- for the proposed infrastructure components ofthe University's One-Card implementation.

. Managed handling of copyright issues stemming from illegal downloading of music and movies.Coordinated with University Counsel's offìce in response to cease and desist letters fromRIAA/MPAA.

Paft nerships and collaborations :

. Member of the Penn-REN Technical Advisory Committee (PTAC), which serves the KINBER board.PTAC is focused on configuration, deployment, and usability issues of the statewide high-speedresearch network.

. Served on several university committees including the Information Services & Resources SteeringGroup.

. Supervised the work of other staff members as it related to supporting the network infrastructureand information security projects.

. Led several organization-wide discussions and presentations on issues related to security.

. Provided training and mentoring for network technicians, system administrators, and security groupmembers.

. Aggressively negotiated with information technology vendors including Cisco, Noftel, AT&T, NEC,Liebert, and APC to maximize the effectiveness of University budgets.

. Worked with the local community. Member of the SEDA Council of Governments BroadbandAdvisory Group, tasked with the goal of researching and providing world-class broadband solutionsto the members of our rural community. http://www.seda=cog.org

Network and Systems Engineer August 1998 to December 2OO3Carole Hochman Designs, Inc. www.carolehochman.comNew York, NY

Responsible for the operation and maintenance of all information systems for a Madison Avenue fashiondesigner. Supported domestic offices and overseas factories in Turkey, Egypt, Hong Kong and China.Managed technicians and project teams.

. Responsible for network security policies, anti-virus systems and firewall configurations.

. Designed and installed a Windows Active Directory system in multiple states to facilitatecommunications between offices and between users of different desktop platforms.

. Responsible for telecommunications and wireless systems throughout global offices. Maintained andexpanded the enterprise-wide telephone and voicemail systems. Installed, configured andmaintained leased-line, VPN, dial-up and extranet connectivity between all offices throughout theglobal enterprise. Developed and deployed a mobile infrastructure with 100o/o access to corporatenetwork resources.

. Designed and installed an 802.11b system which enabled warehouse staff to employ wearableEthernet terminals. This system permits real-time, wireless barcode scanning of data directly to theERP system.

. Provided network support and interoperability between AS/4OO, W2K, and Unix. Developedmechanisms for the publishing of AS/400 data to Unix and W2K file and web servers.

. Managed departmental budgeting and purchasing.

. Coded HTML, CGI and ASP for Internet and Intranet websites.o Provided usersupport and training; developed training materials and programs. Created procedures

manual and methods for systems and operations documentation.

2

Network Engineer August 1997 to August 1998Computer Service Partners www.cspinc.comRaleigh, NC

Provided on-site network support at Fortune 500 companies throughout Research Triangle Park.

. Responsible for installation and maintenance of local and wide area networks.

. Provided desktop support and installation of hardware and software.

. Evaluated customer networks and provided solutions for network optimization, security, faulttolerance, and disaster recovery.

Assistant Network Administrator January 1994 to August 1996Bloomsburg University www.bloomu.eduBloomsburg, PA

. Supported the universityt academic computing network, consisting of faculty offices, classrooms,and student computer labs.

. Supervised the installation of network applications to LAN Manager and Windows NT Servers.

. Evaluated and documented software for classroom use and assisted faculty with the incorporation ofInternet technologies into their curriculum.

Education:

. Bloomsburg University. Bloomsburg, PA. B.S. in Chemistry; minor in Computer Science. Graduatedwith Honors in August 1996. GPA 3.91 overall; 4.O in Chemistry and Computer Science.

. North Carolina State University. Raleigh, NC. Completed 15 hours of graduate work in Chemistry.GPA 4.0.

Information Security and Networking-Related Presentations and Research:

. "Customized Threat Analysis and Reporting". Webinar, Scheduled for October 17,2OLz

. "Integration of Disparate User ldentification Sources into your IDS/IPS." Palo Alto Users' GroupMeeting, Malvern, PA. Scheduled for December tL,2Ot2.

. "iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone UniqueDevice ldentifiers (UDIDs)". October 2010. This paper describes the use and abuse of the iOSUnique Device ID (UDID), which was shown to be actively used by adveftisers and applicationdevelopers to track the application use of individual users. As a response to this and other similarresearch projects, Apple announced the depreciation of the UDID with their release of iOS5. I wasinterviewed by a number of news organizations, including Ars Technica, MacWorld, Engadget,Slashdot, The Register, and others. http://arstechnica.com/apple/20L0l10/iphone-user-privacy-at- risk-from-a pps-that-transmit-persona I -i nfo/

. "Rogue Season: Successful Hunting Strategies for the Network Administrator". Nercomp, 2008,Providence, RI. Rogue access points (APs), those installed by unauthorized users, are a security,usability, and liability concern for all university network administrators. In this talk, we will presentseveral time-saving methods of rogue AP detection that do not require expensive commercialapplications or unwieldy directional antennae. Slides athttp: //net.educause.ed u/ir/library / pdflNCP08095. pdf

. "Introduction to Streaming Video." Mid-Atlantic Digital Library Conference, 2008.

. "Hardware and Honeybees." Presented at the Central Pennsylvania Open Source Conference(CPOSC), 2009. Discussed how internet-connected technologies, including cameras and sensors,can be used by Pennsylvania's small farmers to increase the health and yields of their operations.

. "Streaming Multimedia for Digital Libraries and IRs such as DSpace: An Introduction". NITLE, 2008.This presentation addressed the benefits of using streaming servers, examined case studies, andprovided an overview of the technologies and processes involved in handling large multimedia filesvia streaming servers.

3

. "Medical ldentity Theft." Presentation at the DefCon security conference. This research focused oncommon security issues at medical facilities and the feasibility of large-scale attacks aimed atgathering patient data for the purposes of committing identity theft and insurance fraud. August2008. http://www.defcon.org/images/defcon-76/dc16-presentations/defcon-16-smith-dardan.pdf

. "Botnets at Bucknell." Presentation for Information Services & Resources Staff, Bucknell University,Lewisburg, PA. Presentation provided an overview of botnets, how the Bucknell community hasbeen affected by them in the recent past, and the security measures taken to protect Bucknell andthe internet at large. The audience included technical staff members, non-technical staff, andlibrary/technolqgy administrators. May 3, 2OO7.

. "The $60 VPN Tunnel." Fresentation to the Bucknell University community regarding the methodscurrently in production for creation of IPSec-based L,AN-to-LAN tunnels for remote offices andtelecommuters. April 2OO7.

. "VoIP, Vonage, and Why I Hate Asterisk." Shmoocon 2007, Washington, DC. This presentationexamined the potential business and home uses of Asterisk, an open source telephony platform.Also addressed were security issues inherent to most VoIP deployments.http ://www.shmoocon.orglspeakers. html.

. "Wireless LAN Security." Presentationfor 2OO7Information Security Week, Bucknell University,Lewisburg, PA. March 2OO7.

. "Countering Attacks at Layer Two." Shmoocon 2006, Washington, DC. Focused on often-ignoredsecurity issues that affect large campus networks. Video and slides from the presentation areavailabl e at http : //www. sh mooc on.org/ 2006/presentations. htm l.

. Cisco Security Research: Discovered a security flaw in the Cisco Aironet IOS software. Avulnerability exists in Cisco Aironet Wireless Access Points (AP) running IOS which may allow amalicious user to send a crafted attack via IP address Resolution Protocol (ARP) to the Access pointwhich will cause the device to stop passing traffic and/or drop user connections. Repeatedexploitation of thís vulnerability will create a sustained DoS (denial of service). See Document ID:687 t5/ Advisory ID: cisco-sa-20060112-wireless for more details.http://www.cisco.com/warp/public/707/cisco-sa-20060112-wireless,shtml.2006.

. "Bucknell's Resnet Quarantine." Presentation to the University community to discuss the automatedsystems which are in place to deal with worm, virus, and botnet-infected machines on theUniversity network. January 2005.

Awards:

DefCon 12 (2004), DefCon 13 (2005), and Defcon L4 (2O06):

Winner of the Wardriving Contest at the nation's largest computer security conference. The WardrivingContest pits teams from around the world against each other to determine who can best solve a givennetwork security problem. The winner of this contest is awarded the prestigious "Black Badge", whichallows the holder free admittance for life to all future DefCon conferences. http://www.defcon.org.

Other Skills:

Chemist. Experience in organic and inorganic synthesis, safe laboratory practices, computationalmethods (Gaussian, GAMESS, HyperChem, MOPAC, and Spartan), powder X-ray diffraction,fluorometry, AA, FTIR, GC, GC-MS, UV/VIS HPLC, and NMR,Eastern Apiculture Society Certified Master Beekeeper (University of Vermont,2OL2).Electrician. Experience in commercial and residential service (1990-1994).

Professiona I References:

¡ Available on request.

a

a

eric smith report - amanda ladas vs. apple case

Documents