This is the 1s Affidavit of

Eric Smith in this case and

was made on

Oclober,20't2,

the 5ft

day of

Action No. 5112969 Vancouver Registry

IN SUPREME COURT OF BRITISH COLUMBIA
Between:

Amanda Elizabeth Ladas Plaintiff And:

Apple lnc.
ndant

.Brought under the Class Proceedings AcI,RSBC '1996, c.

AFFIDAVIT

50"

l, Eric Smith, lnformation Security, Networking and Systems Administration

Professional, clo Suite 302-1224 Hamilton Street, in the City of Vancouver, Province of British Columbia, MAKE OATH AND SAY THAT:

1.

Attached hereto and marked as Exhibit "4" to this my affidavit is a true copy of

my expert report herein dated September 2012.

SWORN BEFORE ME at the City of

jnnt

/,o7uk , this
October, 2012.

P4,in

tne Courr' o Sntday of

GenLiV9ST2laff#1 of Eric Smith

iOS4x Operating System Privacy Issues

Section L : Introduction
This report was prepared by Eric Smith of Danville, Pennsylvania. My areas of expertise include: information network design, information security, and analysis of electronic data transmissions. A curriculum vitae outlining my education, certification, and experience is included as an appendix to this report.

Instructions Provi.ded nd Nature of Opinion Sought

I was asked to prepare
a report describing the methods by which the physical location of an iOS4x device could be shared with outside parties including the Apple Corporation as it relates to the report prepared by Francis Graf in connection with the Plaintiff's claims made in the

Action.

Opinion
My opinion and findings are detailed in Section 3: Conclusions. Reasons

for Opinion

The reasons for my opinion are based on the findings outlined in this report.

Assumptions
This report assumes an unmodified Apple smart device (e.g.,iPhone) running the iOS4x operating system is used in a routine fashion by its owner.

Methodology
Complete details as to the methodology of investigations performed in this report are included in
Section 2: Methodology.

Advice nd C ertifiction I certify that I am aware of my duty to assist

the court and not be an advocate for any party, that have made this report in conformity with that duty, and that I will, if called on to give oral or

written testimony, give that testimony in conformity with that duty.

am responsible

for the contents of this report.

Exhibit "A"

Respectfully submitted,
Thrs rs Ixhrbt arrrrjavrt

<slgnature>

"

reierred to ,n lhe

Eric Smith

Ladgs. -Vlanle,Lnc, sworn bero,e .,- r, +L//i.w.*n.Sunut u

or
20

l.a.

Eric Smith
www.pskl.us
Karn C. Drumheller, Notary hrblic Cooper Twp, Mqrtor Cornty connission expircs Ianuv lL2016

iOS4x Operating System Privacy Issues: An Analysis of Data Transmitted from an Apple Device to the Apple Corporation

Re: Ladas v. Apple fnc.

Supreme Court of BC Action No. 5112969, Vancouver Registry

Prepared By Eric Smith

September 2012

iOS4x Operating System Privacy Issues

Contents
List of Figures ...............
Section 1: Instructions Provided and Nature of Opinion
Reasons for

Introduction...............

......... 15 Analysis.. Analysis............... ..........23 Usage........ ........26 .....26 Two, Part I: Installing Applications ................ Two, Part II: Downloading Media................. .......29 ........ 31 Two, Part Itr: Using Applications................ ......33 Section 3: Conclusions............. Appendix... .................. 35 Appendix A: Extraction of Geolocation Data from the WIGLE Database .........-... 36
Phase Phase Phase Phase Phase Phase

Opinion Opinion 4ssumptions................. Methodology................ Advice and Certification........... Section 2: Methodology........... Phase One: Analysis of an Idle Device

Sought.......

................... 3 ......................... 4

....................4 .....................4 ....................4

................4 ................4 ......................4 .............'..............5

........ 15

One Analysis, Part One: Initial Phone-Home One Analysis, Part Two: Periodic Phone-Home Two: Analysis of IOS4 Communications during Device

Eric Smith www.pskl.us

iOS4x Operating System Privacy Issues

List of Figures
Figure 1: The iOS4x Device Studied...... ............ 5 Figure 2: T\e Laboratory Data Network ............... ............... 6 Figure 3: iOS4x Network Configuration Page...... ................ 7 Figure 4: Proxy Server Configuration............... .................... 8 Figure 5: PD( 515 Firewall Configuration............. ............... 8 Figure 6: Generation of a RSA Keypair ................ ............... 9 Figure 7: Creation of a Certificate Signing Request...... ...... 10 Figure 8: Creating the Signed Certificate ........ I I Figure 9: Combining the Keys and Certificate ................... 11 Figure 10: The Initial "Install Profile" Screen ....................12 Figure 11: Certificate Installation Warning Screen ............ 13 Figure 12: Trusted Root CA Installation Complete... .........14 Figure 13: Connection to gs-loc.apple.com........... ............. 16 Figure 14: Security Certificate for gs-loc.apple.com.. ........17 Figure 15: Data Transmitted to gsJoc.apple.com...... ,........ 18 Figure 16: Response from gsJoc,apple.com, Page I of 2 ......... ............ 19 Figure 17: Response from gs-loc.apple.com, Page 2 of 2 .....................20 Figure 18: Ethernet MAC Address of the Cisco l23l AP..... ................21 Figure 19: WIGLE Cross-Reference Data... .......................22 Figure 20: WIGLE.net Locations of Access Points Found in the Apple Data .........22 Figure 2l: Data Uploaded to iphone-services.apple.com.......... ............23 Figure 22: Wtreless MAC Address of the Cisco 1130 Access Point.......... ..............24 Figure 23: Periodic Data Upload to iphone-services.apple.com.............. .................25 Figure 24: T\e iOS4 App Store.......... .............26 Figure 25: Information Required to Obtain an Apple ID ............. .........27 Figure 26: Logglng into Apple's App Store on the iOS4x device. ........28 Figure 27: App Store Login and Subsequent Transmission of the AppleID and Password to 4pp1e......... ..................29 Figure 28: Purchasing music via the iTunes application ....................... 30 Figure 29: Loggng into iTunes to Purchase Music...... ...... 30 Figure 30: iTunes Login and Subsequent Transmission of the AppleID and Password to Apple3l Figure 31: An IOS Application using the iAd System ........32 Figure 32: Relationships between Collected Data.......... .......................34

Eric Smith
www.pskl.us

iOS4x Operating System Privacy Issues

Secton 2: Methodology
For the investigations outlined in this report, an Apple iPhone 3GS running iOS version 4.3.3 (Figure 1) was used. For the purposes of this study, a device with an inactive cellular connection was employed so we could insure that all data transiting the device would pass through the builr in 802.11 WiFit connection and not a cellular telephone network.
No sn

lce

1l:37

AM

Songs Videos

167
21

Photos

289
89

Applications
Capacity Available Version Carrier
Model

14,3 GB 10.0 GB

4.3.3 (8J2) AT&T 10.0

MC135LL

Figure 1: The iOS4x Device Studied

Note the "No Service" icon which indicates the absence of a cellular data connection. To determine the extent to which location data was being automatically shared with Apple, a wireless network was created in a laboratory setting so that any data transmitted via the device's builrin WiFi radio could be collected and analyzed (Figure 2). The networking hardware used in for this investigation consisted of a Cisco wireless access point model 1130 and a Cisco wireless access point model1231, both connected through a Cisco 3550 24-port Ethemet switch to a Cisco PD( 515 firewall. The PD( 515 was configured so it provided network address translated (NAT)z intemet access to any devices which connected to the Cisco wireless access point. Several Intel-PC based workstations were also connected to the Cisco 3550 Ethernet switch so traffic ffansmitted through the wireless network could be analyzed.

t
2

http://en.wikiped.ia.org/wiki/Wi-Fi http ://en.wikiped.ia. org/wiki/Network-address-translation

Eric Smith www.pskl.us

iOS4x Operating System Privacy Issues

Ethernet Switch (3550)

PIX 515 Firewall

z-_4r-

Intemet

/\

- \

1___/

t--/

) )

Intel-PC Solkstation

wiFi AP
(123

#1

l)

-.trEO E-EI : !c " 3?to Wireless Connection

WiFi AP +2 (l l 30)
Figure

IOS4x Device

Wiled Connection

2:

The Laboratory Data Network

By design, switched Ethernet networks do not permit the inspection of traffic by a monitoring station. In order to bypass this limitation, proxy software was installed on the Intel-PC computer systems. The proxy software used in this investigation includes the Charles Debugging Proxy3, MITM Proxya, and Ettercap5. The Intel-PC computer systems ran the Microsoft Windows 7
and Backtrack Linux6 operating systems.

In order to direct network traffic from the iOS4x device through the appropriate proxy server, the iOS4x device was connected to the lab's wireless network. A static IP address and subnet mask were configured as shown in Figure 3.

3 a 5 6

http ://www.charlesproxy.com./

http://mitmproxy.org/
http://ettercap.sourceforge.net/
http

://www.backtrackJinux.orgl

Eric Smith
www.pskl.us

iOS4x Operating System Privacy Issues

Forgel
tP Adtlress DHCP

fh l,letwork

lP Address Subnet Mask Router

DNS

192.168.254.111

255.255.255.0

8.8.8.8

Search Domains

Figure 3: iOS4x Network Configuration Page

. l{TT raYv

In order to route traffic through the proxy server(s) for analysis, the iOS4x device was confrgured to use a proxy server as shown in Figure 4.

Eric Smith www.pskl.us

iOS4x Operating System Privacy Issues

No Sen

lce

9:26 PM

Router
DNS 8.8.8.8

Searcir Domains
HTTP Proxy

off
Server Port

Manual

Auto

192.168.254.1 8888
OFF

Authentcaton
Figure

4: Proxy

Server Configuration

The Cisco PD( model 515 f,rrewall was configured to drop any network traffic from the iOS4x device, other than Domain Name Server lookups. This prevented any trafhc from leaving the laboratory network in any fashion other than through the configured proxy server. The relevant configuration of the PD( 515 firewall is shown in Figure 5.
EILb FRll
PDO15 - s$irtcRf File Edt Vry options lranfer Script Toole ttfndou

E@
Help

J :S

q, E g * q s s

E.

11

12 Ro. 98

Cols

VT1@

Figure

5: PD(

515 Firewall Configuration

This configuration allows for the interception and analysis of unencrypted traffic. Much of the communications between an iOS4x device and Apple's servers is encrypted in order to protect it from eavesdropping and modification while in transit across the global internet. In order to analyze those communications which are encrypted using the industry-standard Transport Layer

Eric Smith
www.pskl.us

iOS4x Operating S1'stem Privacy Issues

Security? suite of protocols, it is necessary to obtain a root certicate8 (root CA) which is trusted by the device to be studied. With such a certificate in hand, it is possible to bypass this encryption 1fl samine the plain-text content of such messages. The process for creation and importation of a root CA is as follows. The OpenSSL suite of toolse was used to create a 1,024-bitRSA publicrivate key pairr0 as seen in Figure 6. A certifrcate signing request (CSR)tt was then created from this newly-generated RSA keypair. A self-signed security certificate was then generated in PEMr2 format based on the generated keys and the data provided during the creation of the CSR. The certificate and RSA keypair are subsequently rnerged into a single file in PKCS 1 213 fonnat for use by the proxy tools.

IejsmiLlrec2 23 2l-40 247 *]$,rrerr>sL Berrsd -ouL ios4.keU 1024 GeneraLing Ri ;rivate keLr. 1024 biL lc,rrg mc'rltiltrs

"'t='OSS:; Ie jsmrthGec2-23 2L 40 247 -]'$ cat

BILIII IS
PRlVA
f

((r:10001)

ios4.l..eg

KTY

lfJ+gVlljl2rlcUqo3RPIclu0n0rHBnDhzB/6aif42l'lial-i3Z6mVffLrxa.rlG./*dpU S,r'/c lPb4FeQZtv I Y42HJb4ODorf qm4BSl;' r /,l XmvQG -98 ,1Fl,l/Q LP,/o+uL i oKel tglNp00L0llej[iCbtxoCuYrllYaStguPeXlI:JcY.:,gsFszkCQQIIPNcmPJt(rIxl'172
trJg09vQlrrt'l[<lx c5DsHk zeheZYNl SF lHfnRx 5R S5 /e 7E C HYF QSro3TpNV5 x XB 7 m SL /udqqt'lG 1kA l'1DBr l0mTur4m9Ac / /4lJt Dl H3 r og<r ZHF i I K1;lrL lrnam /F x m T0f lo qqtnSns :10{E go9XlVSeSZ+iVVFAF Ts3QJBAl4SC3B.jeRXBnE IXp2/aeltdDbh5

I'lTTflXTBflHBgttt ifrc2FlrpgsTsUQ+nr/S.[)x3FiepzmkVS'1FTt0l'lll4r8my:iTHAt4 qImsXupZJDgclB0Gv04BedRILNXLVN6CHVEIY+prET0G0+rrSl'lHKG3Frl5f,:xmI dB1n6 tl'15Q50 Xc llf LsZrll/5U1b 0.rf k 5BJI z3B Zd I vSL t q V.jclCnlL I m6Qi,rI DrQB

4els08l'16>tLrS/rIrlLgpHter9rdgi3t:<,1auSQlc4X5a+onullvllif3l'lhBllQGhl /. jF 7 s r r dc ltlX4 rBI g ml'1|1 tJN ZBL xm qGt. ll'l jNLlll',.itlNF- xL1gcr Z I z tl Z N lg t [l QtrSlrFllgYD+7ot]pm.FCQBP9Qek.r,loF'T.lFQl'l09lPT0xl:i201uFNl0utQv0l0.1
mU

k k k.1

aD

a t F 8 0 z F

u P Cp

Xtr6R 3 P n KEY

/0, 2 I

tl h - l>

<l

IejsmiLlr@ec2-23 27 40 ?47 -]$

-END RS PRIVTE

u l, 9 v k 4 =

Figure

6:

Generation of a RSA Keypair

http://en.wiki pedia.org/wikiransport-[-ayer-Security http://en. wikiped-ia.org/wiki/Root-certifi cate e http://www. openssl.org/ t0 http://en.wikipedia. org/wiki/Public-key-cryptogr-aphy II http://en.wkipedia. org/wiki/Certificate-sigrrhg-request t ' http://en.wikipedia.org/wiki lX.509
8
|

http ://en. wikipedia. org/wikiiPKcS

Eric Smith www.pskl.us

iOS4x Operating

S1's1sm

privacy Issues

YoL

ittto gour certificate re(luest. I'lhat gotr are aboul t rrter rs uhal i; crllerl a Distrngrrishetl There are (lule {eu frr.rlr bu'l yo,r,-an oave sLrme bank
some {ie.ls there ur.l [>c a delarlt valLcIf gotr elter - . -, the lielrl rill he l':f I l:.rtk.

IejsmiLlr@ec2-2.1 21 40 24 are alout lo be asl erl

"lS operr>:L r e. -red ket ios4.ket1 -otr[ o4,trr to erter irlormtion that u.i-I he incorporaled
Name

or a

Dll

For

Courrtrg Name (2 letter cocle) LXXI:C SLaLe or Province Name (full namei []:BC Localii-g Nlmc (cg. citg) [Dclult C t r.:Varrcorrvcr 0rgatrization Nane (c-g, comrarrg.r IDel.rulL tomrang f l ]:pskl ,rrs
Name (cg. se<;t. lon) []: Commoll Nanre (eg. rlLLr- rrafi or- (l(,uf ser ver': Email A,ltlr ess [ ] :

0rganizatioral Llnit

Itostnanre)

[]:

Please errter t-le fol otrirrg 'exi-ra' .rlLrib,Les to be sent L,rrth gour certifrcate rerlresL A rhal I errge rassuorrl [
:

rr

Ie,jsmithf4ec2 2:3-2I-4-i:47 "]$ cat r,r:;4. csr

ortional

comra11U rrme

II:

zCBti0ILAUtsAlt1suCQYLlV0tlLrJDtltl l'lfktAlULCirCQkl'lxL jQLlgNVBAcIl VZhlmNvdXZlc E 0llA4 G1LlE[guHc HNr l;C 51c u C Brr zANB gk clhkiGSuOBAQt FrCtB jQAugYkCgYEAon66Nhl,l6Y0Ll9Sl.PplLln0:0d0X,c5:FUtRCL jFuAZ/JsUiADH.i.l rF BKI'ISQ4HcgUB rt+ PHr'LIXU zVr1T c ghl ZR C GP, ,;lr F 9B LPc6 * V lruht xTuRXflQJpXGc tZ +rTU0dF3F ng 7Ga 1v+ VNI'14 zmhZ0 QSSH9 ul,lXSL 0i 7, I Y 3Qr S95ZtrkllCfluE lflal lr H0tCSqSIl;3DQt0Llf l4 CiBJnLeA.l bur Yu,iR / XI.{0 LNPt3uRUc^2T,iPP o0 cu f !t
C

I'tllB{

-__-

BEGIN CERT]FIIfITE RQUEST-- .

ig0sCYece0Pf-,mlbl(rttDTl'l0rc9DerC0lJs.ll;5Dliz5rJI:ll(Oe'JLl,lhNN'5l,lpYYCr
vUZ3nXXR*f 00UGm.gL S!r.V\'0RoQ016.'
1

jlll

EVUE

jmHul'lSFl,leSE0rlTmVluoe+sA7

__- __END CERTIFICTE RIOIIEST

i05

le.smith@ec2 23 21 4A

24 -ls
Figure 7: Creation of a Certilicate Signing Request

Eric Smith

ltww.pskl.us

10

iOS4x Operatng S1'stem Privacy Issues

L-19

q z s 1

IejsmithGcc2-23-?l-40-247 -J$ o>crrssl x509 -clags 3650 -:ignkcg ios.l,kcg -in ios4.csr -rccl out ir-'s4.crt
Sigrratrrr-e ok
:ub
Gel

jcct /C-L A /ST-BC /L-V.rnco rvcr /0-rsk.l

-BEGINl]ERT_tltC]t----u 7

rrc
L

I i rrg Pri val e ket Iejsm-iLlr@ee2-23-21-40-247 -]$

mor

e ios4.cr
GSU 0

llT TB9 zC Cfil,llC 0QDF

8T
r'\

r 1 g0,r

c a zn

NBgk(thk i

BflQtJFttBflQ

s uCQYDVQQGF

uJtl

tLl'lAk A1Ut Aut Qk 'lxt A QBgN V Acill VZ lrlm NvclXZI c j tQll A4 GAIUt I gullc llNr bU51c zel- r0x14 jA5ilLJYxNIJlllN I Jal- u0gl4 ASl'llJQxNDlllN t Jal'lEAxC zJBgNVBAY I
k NB14Qs uCQYII\QQT

UlJCQ

z F S 14BfiG 1

tJFBuu.lVm

rY291dm Vgl RfuDgYD VQOHDfidu

FlAott:qSIbli0Qt BfQUr4 r:iNAD t iQKB gQCi I r o 2t bpg 5T 3sQ r nV SctxB3RepzmkVSlLIt0lll,l4Br'SmxSlAllqlnsXuplJUgtlytQGvU4SedRfLNXLVNtC HV FIY+pUFTtrG0*rr5l.lHKG3F05FcxAn rlB{1nGt I'l5Q50Xcl,l1l s/rll.z5tll b0nFl.5
c 2 t sL n V zl'lIG f

JI z3BZdIvSL t rV.rlC rilLl mGQUIDAQBl'lfi0GCSttSIh3DQtB0UAA4GBACf ql 1Ik0 qbCUCm IrvPQrrgegvtlJL/9QIlBoRKkf rrJi+9 Ihf iel,l/Sn/XxNRpctr*UbldKiQXmrVG 0RBF j z lRgtCXkNE zFP0afN2ll>Y3vb/X20tl8cX2dL1mtDPl liYBk 4JHrLrtoBs03J0
B

It q

Icjsmith@cc2 23-21-40-247 -].$

1Zk TaELeSX -----t Nil ct Rt il tltt-----

Zl65SkVYt

pl'l 7tlp

x zh95mNNk

s:h2: AS-128 10,

l1

25 Ro$,s,102

C"l, f]l{_

Figure

8l

Creating the Signed Certihcate

J l
Verilging
Ie

? ejsmitlrOec2-23-2I-40-241'-J$ o>etrssl pkcs12 -export -out ios4.>lx -inkeg ios4.l,.eg -itr ios4.crt nler Fxport Passuorrl:
jsmi-th0ec2-23-21-40-24/ -]$

s*&9

frrter

Ex>ort Passuorcl:

-l$ more ios4.ilx 0 0 + rH+ iift R 6 @ Hi+iyto c { -t LLKC^L Y.l ix ". ^?'licL oio.Jc t0cI.1i z1,/- >i 0 $ L$',> ir=N ;i/:il c I0-'>c+o"v^ 1U5S7' ; *:# ijPi * H= 0 0 p('r. "RS-P i 6fi<- -c 6NAC B C.F f ;T 0 r H'L l0 c0
le,jsmitlr@ee2 23-?1-40-?4/

Eir

Ie.jsmith@ec2-23-21-40-?47'']$ ls -l ios4.rl-x -ru r u-r'-- 1 ejsmiLh ejsmiLlr 1525 5ep b 10:3/ ios4.r1x IcjsmithGec2 23-21-40-24/ -]$ [e,ismitlr@e,:2 23 21 40 247 ^]1' I

Ic jsm-ith@cc2-23-21-40-247

]$

!sl2 AE5-I28 1.7. ll

25 R110.?

Col.

'/T1m

Figure

9: Combining the Keys and Certificate

In order for the device to accepl and use those certificates signed by this newly-created root C,{, the certificate must be manually irnported into the device to be studed and configured as a valid
Eric Smith www.pskl.us

1l

iOS4x Operating System Privacy Issues

root CA. On an iOS4x device, this is accomplished by viewing the "ios4.crt" file (Figure 8) in the Safari web browser on the device. \Vhen the Satari web browser encounters a security certificate in PEM format, the "Install Profile" screen appears as shown in Figure 10.

lnstaf

Recelvd Sep 1,2012

Figure 10: The Initial "fnstall Ptollle" Screen

'When

the user clicks "Install", the warning screen as shown in Figure 11 is presented to the user.

Eric Smith www.pskl.us

t2

iOS4x Operating System Privacy Issues

The authenticity of "pskl.us" cannot be verified. lnstalling this prolile will change settlngs on your lPhone.

Root Certificate
lnstalling the certifcate "pskl.us" will add t to the list ol trusted certificates on your iPhone.

Figure 11: Certificate Installation Warning Screen

'When

the user clicks "Install" on the waming screen, the new root CA is installed and trusted as

can be seen in Figure 12.

Eric Smith
www.pskl.us

l3

iOS4x Operating System Privacy Issues

Profile lnstalled
pskl.us

OTrusted
Receved Sep l, f 2

Contains Certfbate

More

ftalls

H i q'
Figure 12: Trusted Root CA Installation Compiete

With this conflguration in place on the iOS4x device, it is now possible to decrypt and analyze
any intercepted communications between the device and those remote servers owned or managed by Apple or its affiliates or contractors.

Eric Smith www.pskl.us

l4

iOS4x Operatng System Privacy Issues

Phase One: Analysis of an ldle Devire

In the first phase of this study, the iOS4x device being studied was powered on and immediately connected to the laboratory wireless network. The device was subsequently connected to an AC power supply such that the study could continue for a period longer than the device's battery would otherwise permit. No further interaction with the physical device occurred after this point of the phase one study. The device was allowed to remain undisturbed in this fashion for three days, after which time the collected trafhc was analyzed.

Phse One Anlysis, Part One:

Initial Phone-Home Anlyss

Within seconds of the device's initial connection to the wireless network, it established a secure, encrypted connection to a remote server named "gs-loc.apple.com". Using the tools outlined in the Methodology section, it was possible to decrypt this communication and study the contents. As can be seen in Figure 13, the device used |TPS method POSTI4 to ftansmit data to the
server at https://gs-loc.apple.com/clls/wloc.

ra

http ://en.wikipedia.org/wiki lP OST

-7o28VIPVo29
15

Eric Smith
www.pskl.us

iOS4x Oporating System Privacy Issues

Gartifi c.ate

\fiewens.1lo,sqppter0rl . :'

Senerat

I O.tuir,

Tl certificte h beer yerlfled for fhe follwvlng user:

SSt

S.*.r

Certificate

Eued To Common f'lame (CN)

Organization (O]

gs-loc,apple.com Apple Inc,

Organiational Unit (0U) Irtemet Seruices Serial Number 4C:18rEBr0A

BruedBy
Common Name (CN)
Organization (O) Entrust Certification Authority - LlC

Entrust Inc,
rnnnnn. e

Organitional Unit (Ol llaEdity ksued On

Expires On

ntru t,

eUrp a

ir

n co

rp

rate

d by ref e re n c e

1/4/2010

10/u2012

fingerprhtr
SHAI Fingerprint MD5 Fingrrprint
DFr6L4Cr2lr57:lAFLSBr2AE2rFl:FBrfl9:9Er5:91170:50;T0;E1
C

I I

E 8 5r 9 F

01

2:11

9 B

0A

24.

6 D

CA. C? r 40

;E

Figure 14: Security Certificate for go-locapple.com

The data transmitted from the iOS4x device to Apple can be sen in Figure 15.

Eric Smith www.pskl.us

t7

iOS4x Operating System Privacy Issues

Ch.der 1.6.5 - iphont-updtting-mac-databr-09-03-12' Hclp

l--llE

File tdt Vew Pro), Toob \{ndw

Su(ture

I Squh(

hts://gsloc.ppl.,com

- dltl
nullr

3 l
i- r

_@
h.y/
pbcwloc

00 0I 00 2e 33 2e a I0 30 34 30j.8

05 65 6e 5f 55 53 00 00 00 09 34 2e 38,t 32 00 00 00 0r 00 00 00 79 12 3 31 33 3 63 33 3 32 65 3a 64 62 00 20 c0 0c

33 12 3a

e .3.0J2
40

4.3

oll3:c3rze:i

A l ht.//noti!2.dropboicomj0
htr,//iphone-:eruicer,apple com

=-

pb(wloc

_ -

pbcwloc pbcwloc pbcwlo<

pbcaloc
pb

cwloc

_- pbcrloc
pbcudor

pb(wlo(
pbcwloc pbcwloc pbcwloc

Headerl

Te* Uo lomj3gJ
Roording

l5!B ot2uB

Figure 15 Data Transmitted to gs-loc.apple.com

Analysis of this data reveals that the iPhone being studied is transmitting the device's configured language ("en_IJS", United States English), current iOS4 version ("4.3.3.8J2"), and what appears to be a MACr5 addess ("0:13:c3:2e:db:40") to the "gs-loc.apple.com" server. A MAC address is a unique identifier assigned to an Ethernet device in order to distinguish it from any othff device on the network. As defined by the Ethernet specificationsl6, a MAC address must be globally unique and may not be re-used on multiple devices.
Further investigation reveals that the MAC address being transmitted is the MAC address of the laboratory's Cisco model I23l wireless access point to which the device is associated (Figure 18: Ethernet MAC Address of the Cisco I23I AP (Figure 18: Ethernet MAC Address of the Cisco

123t AP).
The response from Apple's servers, based on the uploaded data, can be seen in Figure 16. lt is interesting to note that this response, which is in Google's Protocol BufferslT format, contains additional MAC addresses. This is a partial download of Apple's crowd-sourced geolocation database which is used to assist iOS4x location-aware applications in determining the device's physical locationrs. Apple's geolocation database maintains the mapping between the BSSID (wireless MAC address) of a wireless access point and that access point's geographic location. By submitting to Apple the BSSID of a nearby access point, an iOS4x device can determine its
r5 t7

htrp http tt ht,p

'u

http ://en.wikipedia.org/wiki/lvfAC-addess

o2lBo2.3.htm:.

col-buffers/ 11/04l27{pple-Q-A-on-Location-Data.hrf

Eric Smith www.pskl.us

18

iOS4x Operating System Privacy Issues

approximate physical location by querying Apple's database. As is the case with most intemet communications, the pubic facing IP used by the iOS4x device is known by the remote server and can be associated with the submitted or queried location data.
Ch!d.r
1.6,5 -

iphonr-updtng-(-dt b.r-09-01-12 Proxy Toolr

File Edit

Me

Wndr

Help

xltall
E

l,

ht//9r-1o.,ppl..(om

A
G

_@
pbcwioc

clh-

nullr()

lttp//hotify2.dropbGromr00

i
E

htps//iphone-;eNicer.apple.com hcy/

pbcwlo. pb(wloc

pbr*loc
pbcsloc

,
,_

pbcrloc
pbcsloc pbc*loc
pbswloc

, - pbc*loc

_ _ _

00000000 00 0I 00 00 00 0I 00 00 07 65 12 35 0a J0 30 3 00000010 31 33 3a 63 33 3a 32 65 3 64 62 3a 34 30 lZ lE 0000002 08 0 pS 90 9e Ot IO h8 Ad bd e3 Et ff ff ff 00000030 0I I0 2a 20 00 20 f0 0l 30 12 58 3e 60 60 a0 01 000000t0 0b 12 36 0 f0 30 3a 31 36 3a 39 63 3 39 32 3a 00000050 64 34 3a 34 3I IZ If EA 96 tr 90 9e 0f I0 el ba 00000060 ad bd e3 tf ff ff ff 0l lA 2 20 DO 2A rB Of 3i 000000?0 12 58 3e 60 t 0I o8 0I 0I J.2 36 0 I0 30 3 3I 33 3 35 66 3 66 61 3 36 64 3 66 30 2 lf 08 da 90 9e 0f l0 e3 94 6d bd e3 tf ff tf f OI LA 2a 20 OO 20 f9 0l 30 l 58 31 60 a? 0l aB 0l 06 f2 36 0a I0 30 3a 31 35 3e 66 66 3a 32 62 3a 31 33 3a 65 3I 12 It 08 ? f? 90 9c 0[ f0 bd 90 90 bd e3 ff 1 ff fr DI 18 20 00 28 16 01 30 0 58 26 60 e? 02 8 0I 0l 12 36 0a l0 30 3a 3 36 3 39 63 3a 39 32 3a 64 34 3 34 33 12 Il 08 96 d8 90 9e of o 9e a5 8d bd e3 ff ff tf ff 0l IO lA 2h 20 00 20 fe 0l 30 14 58 25 60 6 0l d 0r

5 0 l3c3r2e:: f
6 0:

0 'h 16:9c:92:

d4:41

(0
6
O:

)' ( 6 X'
6r

3:5t:far6d:f0
0 x?'

0r 15r

ff:2b:
6

r(

9c:92 d4: 43

pbc*loc pbcwlot pbcsloc

0 xt' 20 011235 0s10303a3231 3a65383a62303a 5 Or2!t e8,bor 30 30 31 3 32 63 I2 le 08 ec c2 f 9e 0f 10 cS cd lrzc (0 98 bd e3 ff ff ff ff Ol lA 2a 20 OO 28 f Ol 30 50 0f 5829606a80I0b12370aII38343e64 XI F 1 A4r 62 3d32 66 3a 31 37 3 33 36 36 38 32 12 Lf OA bt2trL1.36rez f3 d7 8f 9e 0f l0 ca a 9? bd e3 ff ft ff fr 0I r f 0Xf' 182a200028fd01300e582860bI0Ia80I 6 4:?:cf:9 02 12 36 a Il 34 34 3 61 3? 36 63 66 3a 66 39 3 31 65 3a 61 35 12 .le 00 fS b3 8 9e 0f l0 f3 le:es 7 9A bd 3 ft ff ff fr Ol 1A 2 20
OO

2A fd 0I

Ico 3009580c6035a80I06f23?oelf 32303a 0X'5 7 z0r kr?:agragrtlz 34 65 3a 37 66 3 5l 39 3 61 39 3a 34 32 12 I 08 dD e2 95 9e 0f I0 fd fB d 3 eE r. tf f 01183620002rtf 03006582860e?01 6 ( 0Xl' 0l 06 12 36 oa Io 30 3a 32 32 3a 37 35 3e 65 31 6 trzzrlsreL 3a 62 32 3a 34 65 12 lf 0 8c 8c ff 9d 0f t0 dg rb2.4e 0 ( cTf0bce3fftt fftI 18 30200028 al02 5 0: 300e58336092010111235010303a 0h' 31 35 3a 66 66 3 31 39 3e 32 65 3a 62 63 12 Le l5:ff:f9:2e:bc 08 (U fe 9d 0f I0 r ae f0 bc e3 r i t ff lnnnn26n nl lfl 2 2 n 2 9 n2 ? ll 5fi tf 6n 52 n nl nx'R HradlTe Hu lRl
B ot24YB

Figure 16: Response from gs-loc.apple.com, Page L of 2

Eric Smith
www.pskl.us

l9

iOS4x Operating System Privacy Issues

Fil Edit Ms

Clrrrlo !.6.5 - hoe4ddi9-m(-drt b!.09-0II Prory Tools Windw Help

E
08 89
OL LO

Lt
El

htr.//gr-lo(.apph.<om

cll5/

5 GB
E E

nul:l]

G
pbcwloc

hfrpj//ory2.dropbotcomr80 hnp/phon-reMcr.pple,com

hcyl

pbilloc

_ _

pbcrloc
pbcwloc

__ pbcslo( pbc*loc

pb.wl
pbrrloc pb(wlo(

_ _

pbcwloc

pbcrlor pbc*lo(
pbcwlo(

cb 9e 0f l0 a6 9d e9 bc e3 tf E ff f 20 00 2 e9 0I 30 0b 58 2f 60 ?4 ae 0l 0a L0 30 3 31 31 3a 35 30 3 35 39 3 39 35 I2 lf 08 dd 9d 0f I0 9f e ff ft ff ff 0I IA 35 20 00 28 fc 0I 30 60 0c 0l d 01 0. 12 36 0 II 35 63 3a 64 34 3 66 62 3 62 34 3 38 3? 12 1 c3 9e 0f l0 e2 c? al8 bc e3 f fE u ff 20 00 20 eb 0I 30 0c 58 29 60 22 Ol 0a I0 34 34 3a 61 3? 3a 63 66 38 3? 3a 3 32 30 2 ff 08 ff 18 fc 9d 0r I0 86 bs 5d0 df bc e3 ff ff f ff 0l 0 2e 20 00 Z8 bd 02 30 5e0 0d 50 29 60 06 03 0 0l 0l 12 3{ 0a 0 30 36 31 5t0 35 3 66 66 3a 36 3a 65 30 3a 61 66 l2 Ie 08 c2 cd 9e 0f l0 d3 ec f5 bc e3 f ff ff tE 0I l8 2d 20 00 28 l 01 30 0d 58 24 60 23 eA 0l 06 12 35 0 0f 30 3e 31 32 3 65 3 31 61 3 61 65 3a 00000630 39 3I 12 Ii 08 ea bd d3 9d 0f l0 fB 8e cZ bd e3 000006 fl lf ef tf 0t I8 32 20 OO 2A A2 02 30 0c 58 2a 0000650 60 5 0l a0 0I 06 12 36 0a l0 38 3 38 36 3 33 00000660 62 3a 33 63 3a 63 31 3a 34 6l 12 I 08 88 eZ d0 000006?t 9d 0f 10 fZ cI cl bd e3 EE tt ef. f.t 0I 18 30 20 00000680 i0 28 82 02 30 0b 50 3e 60 88 02 BB 01 06 12 36 00000690 0 l0 30 3 31 63 3a 31 30 3a 31 34 3a 62 33 3 000006il 61 63 12 If 08 h4 82 ca 9d 0t l0 d7 a0 ca bd 3 0000060 ff ff 1 tf 0l 16 2f 20 EE 2A A6 02 30 0b 50 3e 60 df 0I 0 0I 06 12 3? 0 U 33 30 3 34 36 3 39 61 3a 33 63 3a 34 65 3 64 3t rZ rf 08 bd 89 98 9e 0f l0 d d ddbd e3 f fr t ff 0I 8 68 2O OO 28 eg 0J, 30 Ia 58 20 60 8e 02 E 01 01 l2 36 0 J.0 30 3a 31 65 38 65 35 3B 66 33 3 3? 66 3a 35 66 12 lf 08 ec 99 9c 9c 0f I0 b e0 cl bc e3 ft ff ff ff 0I .10 5? 20 00 28 8e 02 30 0e 58 3e 60 0 02 r 0I 0l 12 36 0 I0 30 3a 32 32 3a 33 66 3a 61 30 3a 64 66 3t 66 34 12 l 08 c2 d8 9e 0f I0 d 4 bd ei f n tt ff 0I I8 2e 20 OO 2A 92 02 30 0e 58 28 60 0l d 0 01 06 12 66 34 b9 d 0 58 64 61 08 cd 0L 8 0I L2 36 62 2a 36 3a e3 3e 3a c2 2a 36

el

(
6

x/'
50 59r

0:

IIr

f4r95

)C'
d: d4:

s l0 6 5c:
: b4:8?

( 0 x)'. 4trclrlr
' '(0 4
0!.!

6br20 Xl
5:

ff:6:

e0:

I
5

x't

0:.I2: e: la: ae:

9t

2 | OX. 6 8:86:3 b: 3c: cI: & '

0

( 0x8' /

0:1c: I0:14: b3:

'
9e:3c:

( 0 1 3ir46r ft:
h

6 >'

( 0x
0:

Ie: e5: t3: ?!

:58

3f : a0:

s { 0x 6 0rz2r ff: E4

H.adr'lTd Hd l@J
uB

d4ua

Figure 17: Response from gs-loc.apple.com,Page 2 oT 2

Eric Smith
www.pskl.us
20

iOS4x Operaring S1's1sm pvacy Issues

[$

rez.rre.zs+u7 - SecureCRT

EE
I

i"?

' E

I ii= r

E.,

l f" I I E I,t,;l

F2:AES-128

fE-e

Eso\,',

e8c-ok twtoo

-f -[-

Figure

l8:

Ethernet MC Address of the Cisco 1231 AP

In order to verify that the data received from Apple contains information about nearby access points, the publicly-accessible wireless access point location database known as WIGLET9 was queried against the MAC address data present in Apple's response. Seven matches were found (

C (lst 2 ztes)

'Zfrf

Latitt-de 40.8W452r
40.88700485 40-444'733 40-8924173a

LGgrU-de
-:76.5T839r-7

d,h, b2b
b9
076e

-:76.5%2%4
-:76.%989288 -76.56638391 -'76.%3L6376 -76.55799103

f495 91 Armage

40.12600 40-88909p 40.8%M'76

40.891504
o.0D6454

-76.5558427 -16.%38352
o.'797128

Stadard

hiaticn

re

http://wigle.net/

Eric Smith
www.pskl.us
21

iOS4x Operating System Privacy Issues

Figure 19) which corresponded to access points within the immediate vicinity of the location of the iOS4x device being studied.
Since the WIGLE data is sourced from individuals who record locations of wireless access points from a moving vehicle, a technique known as "wardriving"20, it is not surprising that the locations reported fbr these access points are along a major roadway. Apple's geolocation database is comprised of data collected by mobile iOS devices and would be of signifrcantly greater precision. It is clear from this result that Apple, by way of this query inechanism, is aware of the physical location of virtually every iOS4 device.
as measured

l,nc (l.ast 2 k:^lt)

7f5f c14a wb b9 o7 f495 ae91 Alerage Stardard hjd.ir

Lati-de rc.845221" 40.88700485 40.89444733 $.B92M3I Q.L7I6 40.8054 Q.ffiM16 40.89150804 g.00a56aq

i,G:i-tu 16.5T83971
-:76.5%?2%4

-:t6.%92
-76.56638391 -:76.%31:63'76 -76.55799103 -:76.555U-L1

-:76.%38352.
O.79-n28

Figure 19: \ilIGLE Cross-Reference Data

20

http ://en.wikipedia.org/wikiAMardriving

Eric Smith
www.pskl.us
22

iOS4x Operating System Privacy Issues

Figure 20: WIGLE.net Locations of Access Points Found in the pple Data

Eric Smith
www.pskl.us
23

iOS4x Operati

isystem Privacy Issues

The physical location of the test device is marked with a red and white star in

Figure 20.

Eric Smith
www.pskl.us
24

iOS4x Operating System Privacy Issues

Phase One Annlysis, Prt Two: Periodic Phone-Home Analysis

Following the initial communication with Apple, the iOS4x device remained idle for a period of six hours, at which time it established a new connection with a different remote server. The iOS4x device sent an encrypted transmission to "iphone-services.apple.com". The contents of this message were decrypted and can be seen in Figure 21 . Similar transmissions, of somewhat varying sizes, were subsequently sent lo the same remote server every six hours (Figure23).
Ch.leJ ?,,5 - rphne updtno-mc-drbr.-0! 0l 12 tile Edit Viw prol/ Tool5 WindN Help

lolElr13

Sructur | Srqucncr

Owrvaw RaquaJt lRsponsr

Ch.rt I NotJ
33 -tb Z0

l httpr/gJ 5 clli/ ui
null{)

lo(,appte.com

wloc

00 0l 00 05 65 6e 5 55 53 00 00 00 09 34 2e 2e 33 2e 3A 4B 32 00 00 00 64 00 00 I l2 0a 0 0s 4e 38 38 41 50 12 12 69 50 6e 6 6e 65
4E 53 34 2e 33 2e 33

en IJS .3.8J2 d

4.3

Iti
El

http://otry2 drcpbox rom:00 hfrpr.//phone-5erurcer apple com

lZ h.y/

ffi

pbcrlo(

pb(wloc pb(wloc pb.wloc pbcrloc

p b(rloc pbfrloc

-_l pbcwloc

--

pb(rlor
pbcwloc

pbcqlo. pb(wlo(

36 4a 32 la le 0B II 34 3s 32 31 3a 39 66 3s 34 35 ff tt tt tf fr ff ff OI 22 ?2 44 40 l.l 93 cS fd 4? 26 4 49 32 00 40 ee 42 E4Ds td 59 e2 42 l,td 0 l0 30 39 32 33 64 34 3a 34 3I .t0 0r 38 00 l8 bc ll t ff ft ff ff ff lf. 0L 22 26 09 ? 3d ea aE d7 7? M tr lI 93 c5 fi 4'l 26 24 53 c0 ld ba b6 9B 42 49 32 00 fi & t4 bS 4l 2d ac 49 0? 42 35 d 59 2 42 I 4d 0a t0 30 3 31 33 3 63 33 3 32 65 36 64 62 3 34 30 .t0 0b 38 00 LB cl i ff Ef ff t ff f tf OI 22 2e 19 a7 3d ea 17 12 44 4 I. 93 cS d 41 26 24 53 IO c0 ld bb6 98 42 49 32 00 40 ee 42 f4 bS 4I : 20 ac 49 01 & 35 fd 59 e2,U Ia 4d 0a 10 30 3a 1n 33 3a 35 66 3a 66 61 3a 36 64 3a 66 30 lO 06 00 l8 d? ff fE ff f ff ft ff tf 0l 22 2 09 t 3d f d? ?2 44 40 ll 93 cS fd 4? 26 24 53 c0 ld b b6 98 42 49 32 OD 40 ee 42 f{ bS 4l Zd c ?o 49 01 42 35 td 59 eZ 42 la 4d 0a l0 30 3a 31 33 I80 36 63 33 3a 32 65 3a 64 62 3a 34 30 lO 0b 38 00 t90 18 bf tf ff fl tr tt t. t l OL 22 2a 09 e? 3d e af d? ?2 44 {0 ll 93 cS td 41 26 24 53 c0 ld cl df 3d 49 8 ?? 10 2d .13 4 b5 { 2d c 49 07 {2 35 df 8f c 42 .L 4d 0 t0 30 3 3t 36 3a 39 63 3 39 32 3d 64 34 3a 34 3l l0 0t 38 00 IA c4 e. t e.f ff fC ff ff fe Ol 22, 2d 09 f? 3d ee af d7 72 M 40 lI 93 c5 f 41 26 24 53 c0 ld ct 3d 42 !, 8 77 40 21 43 f4 b5 41 2d ac 49 07 42 35 df 8f 8c 42 a fr 0a l0 30 3a31 33 3a 35 66 3a 66 6.1 38 36 64 3a 66 30 1 06 38 00 18 d6 ff ff ff ff f ff ff ff it 22 2 09 f? 3d a f d'I '12 44 4 l. 93 cS td 4'l 26 24 53 c0 ld cl 3d 42 49 Ba ?? 40 2d 43 f4 b5 4l Zd ac 49 E? 42 1S df flf 4.42 4 ni l 34 i4 3 61 3? 1 63 Headrt I Text H

2t

l88P iPhoe 0s4.3.3/8J2 4

4: a?:

34 3a 61 31 3a 63 66 l0 02 3 0 lB 4 Ef 2 09 f? 3d e f d? 24 53 c0 Ldb6 b6 98 41 2d c,19 0? 42 35 3 31 36 3a 39 63 3

cf:21:9t:

45

rDE G6 S BI2B -t85YBU 0

i 16 i

rD8 Or 5 BI2EB _IE5YEI O:

13: c3 l 2e: db 40
I "i

9c! 92! d4! 4l "1

rDB

G5

I85YBn O:l 3:5f: f: 6d: f0 6 tDB 0a5 BI2CD I85YBH O!I3 :c3:2e:clb:40 I =

rD8 D5

Cs

=Bl e-C - I D I 0i.I6:

9c:921d4:4I I

ES

rDB G45 8-c - I B X 0:13:5 i: fa:6d: l0 B

=EI

tDB GS .8I u8-C - I

S F t !a?r.

34MB oi

MB

Figure 21: Data Uploaded to iphone-services.apple.com

This communication illustrates how Apple's crowd-sourced V/i-Fi database is created and maintained. The data transmitted appears to be a superset of the Wi-Fi location data downloaded from Apple during the initial check-in as described earlier, combined with unique wireless location data colected by the parlicular iOS4x device. For exarnple, the MAC address of the Cisco 1130 wireless access point used in the laboratory network (Figwe 22) is present among the data submitted to Apple, as can be seen in the highlighted section in Figure 21. The physical location of this new access point is now known to Apple and can be used by subsequent iOS4x devices via MAC address lookup to determine location. As in the earlier case, the public-facing IP used by the iOS4 device is known and can be associated with the submitted location data.

Eric Smith www.pskl.us

25

iOS4x Operating System Privacy Issues

l-,= ll

ii

Figure 22: Wireless MAC ,A.ddress of the Cisco 1130 Access Point

Eric Smith www.pskl.us

26

iOS4x Operating System Privacy Issues

B
8000

ytes Transmitted to http

//iphone- s ervices. apple. com

7000

6000

5000

4000

3000

2000

1000

9l3l2l2:00 9l3l2l2l2:00 914120120:00 9141201212:00 915120120:00 9151201212:00

Figure 23: Periodic Data Upload to iphone-services.apple.com

916120120:00

Eic Smith www.pskl.us

2',1

iOS4x Operating System Privacy Issues

Phase Two: Analysis ol IOS4 Comtnunications during Device Usage

In this phase of the investigation, the communications between the iOS4x device and remote servers was studied while simulating routine user interaction and use of the iOS4x device.

Phase Two, Prt

I:

Installing Applictions

On an iOS4x device, software applications, commonly known as "Apps", are purchased and installed by launching Apple's built-in "App Store" utility.
No Servlce

8:lil PM

Figure 24: The iOS4 App Store

In order to install any applications on an iOS4x device using the "App Store" utilit the user must log in with his or her "Apple ID". In order to obtain an Apple ID, the user must provide his or her e-mail address, name, mailng address, and date of birth to Apple (Figure 25). h order to make purchases in the App store, a user may elect to enter payment information, such as a credit card or a pre-paid Apple iTunes gift card number.

Eric Smith www.pskl.us

28

'*A

EI

|*d4tuhHE4d* ftSllrl*li@ &Sha ib.'h

b.

tur4

d.

id brr4ur*G

ir.qld e: drr.Ee. *!rr{ .rc &!r rt *! . r t c. +..r!n . tuJ6lar b ! rdg f a! r r,: f.!

tl@ rF. fIG

6trSB crtu4

fr k h dic.htawir-

---------__l
.,**;;:;r,hd*.* hh cn(d

Inlbrmation Requiteil to Obtn an.pple ID

iOS4x Operating Sysm Privacy Issues

Figure 26: Logging into Apple's App Store on the iOS4x device.

The user-supplied Apple ID and password are transmitted via HTTPS to the server "p12-buy.itunes.apple.com" \here they are verified before the requested application is transferred to the iOS4x device. As in the earlier cases, the public-facing IP used by the iOS4x device is known and can be associated with the submitted AppleID and password.

Eric Smith www.pskl.us

30

iOS4x Operating System Privacy Issues

Chrlerl,6,t-srrron5
Help

-ltrlJ

Fle Edt Vew Proly Tools Window

https/p12-buy.ituner.apple.com

El EJ Wbobjectr/ g MzFnnce.woa/

Ew/

ii tvZBqy.woa/ E l vZFaiFinance,rca/ E f http://ax.inititunes.apple.com E fi httpr//metric:.apple.com E ri http//a1l06.phobos.apple.com

O

httpr//a130i.phobor.apple.com

Recording

St rld

Reoordlng 24llB ol 2ttBMB

Figure 27: App Store Login and Subsequent Transmission of the AppleID and Password to Apple

Plnse Two, Part II: Downloading Media

On an iOS4x device, media such as rusic, movies, and television shows can be obtained using the built-in "iTunes" application (Figure 28). The iT\rnes application uses the same Apple ID and password as the App Store and uses the same back-end servers and rounes to process a user login. When auser chooses to purchase a song or video, he or she is prompted for the Apple ID and password (Figure 29). The Apple ID and password are transmitted to Apple (Figure 30). Once verified, the purchase is processed and the download to the iOS4 device can begin.

Eric Smith www.pskl.us

31

iOS4x Operating System Privacy Issues

No Servlce

12:11

Pil

lmaglne Dragon

Nbht Vlsions
Gsror
^Jtemative Rleased: Sep O1,20i2 t4 ltms

iTS6Ratings xxxxr

1 2 3 l

Redoclivc

lpbr
frr

irr

Drmona

Figure 28: Purchasing music via the iTunes application

Figure 29: Logging into iTunes to Purchase Music

Eric Smith
www.pskl.us
32

iOS4x Operaring System Privacy Issues

; Chales 3,6,5 -iitunrr-login* Filt Edit View Pro4y Tools

Window

Help

L httpi//pU-buy.tune5.ppl.com

Figure 30: iTunes Login and Subsequent Tresmission of the pplelD and Password to Apple

Phnse Two, Prt

III:

Using Applications

Many of the applications avaiable for the iOS4 device are adverlisement-driven and provided free of charge to the end user. In-app advertisements are typically in the fonn of a small graphical banner displayed to the user while the application is being used (Figure 3l). These advertisements are typically served to the iOS4x device from one of a small number of advertising networks, including but not limited to Flurry2r, TapJoy22, and Doubleclick23. Apple entered this market in January of 2010 with its acquisition of the mobile advertisement provider Quattro Wireless2a, rebranding the advertisem nt network as "i4d."25 Note the "iAd watermark in the lower right of Figure 3 1.

t'

http://www.flurry.com/flurry-anal1'tics.html
http://www.tapj oy.co rn/ http://www. google.com/doubleclick/v
http, //ne.s. cnet. com/83 0 f - f 3 5? 9-3 - 1 0 425 465 -3'l .hantl http ://advertising.apple.com/

'*

Eric Smith www.pskl.us

JJ

iOS4x Operating System Privacy Issues

Figure 31: An IOS Applicationto using the i,A,d System

Previous studies have shown2? thatmany of these advertisement networks, including Apple's iAd network2s, rernotely collect the iOS4x device's unique device identifier, or UDID, whenever an advertisement is viewed. The UDID is akin to a serial number and uniquely identifres a particular iOS4x device.

26

t?
28

http://itunes.apple-com./u sl applid37 9 5 16970?mt= 8 http ://www.pskl.us/wp/?p=476

http://www. pskl.us/wp/?p=48J

Eric Smith www.pskl.us

34

iOS4x Operating System Privacy Issues

Section 3: Conclusions
Considered individually, the numerous communication paths between an iOS4 device and Apple Corp. do not provide a direct correlation between a user's real-world identity and hs or her present physical location. The geolocation queries discussed did not include any data regarding the device or user identity; those subsequent queries which included user or device identity did not include any geolocation data.

ff a single entity, however, has access

a

to all of the communications considered in this report, it is trivial matter to tie geolocation with an iOS4x user's real world identity. Ignoring the use of sophisticated behavior profiling technologies now in widespread use, it is possible to perform this correlation by simply considering the public IP address of each of the communication paths considered in this report.

By referencing the public IP address used by the iOS4 device when it performs its initial connection to the server "gs-loc.apple-com", subsequent communications with Apple Corp. from this IP address can be tied to a physical location. This data is kept current by the iOS device's regular check-in with Apple geolocation servers (Figure 23).
The use of the App Store or iTunes from this same IP address provides Apple with real-time physical location inforrnation about the user, whose real-world identity is already established by data provided when the Apple ID is initially created.

Eric Smith www.pskl-us

35

iOS4x Operang System Privacy Issues

['lnirrr' I)evicc.
ldc'ntifc'r'

Figrrre 32: Relationships between Collected Data

It is clear from the data examined in this report that Apple routinely and automatically collects sufficient information such that they can identify the real-world identity of the registered user of an iOS4x device, as well as the device's physical location, at an update frequency of no less than
once every six hours. (Figure 32)

Eic Smith
www.pskl.us
36

iOS4x Operating System Privacy Issues

Appendix

Eric Smith www.pskl.us

37

iOS4x Operating System Privacy Issues

Appendix
C

A: Fxtraction of Geolocation Data from

the WIGLE Database
rlo

W'rcL.E -

Yfdess cogaphic toggirE

f.rEiE - Serch tlo.ts REh - Mdta

wrul - wrrdr o96PnK Lo99n9

'*.
...
t

il

.r*

ffin'rffi!ff.*
'
l

#ffi.J*
G
l

.lF. 2
l

fl. coai.
Wti
l

Hm t llomlmd t F

Po{

Fle

fbg

ScHCrots S@ l llo t Wb I'p!

l

ll.pPicllflrs

tigt

sholng stetons t lrouglt 1 ofllts qfy.

UrreU - Wirtes Ceogaphk lggrB trigi - SE.

tclc R.{h - Mdl

Fo

l}. _+

,
t
hflp:i/wi9lnd.'qprrgp:inr3n,.cn{rnrluri,;

rffi

jffifltr#
. c .l- coi.
P

Shoulno stalions 1 through

I dlhiB query

Eric Smith
www.pskl.us
38

iOS4x Operatin! Syslsm Privacy Issues

Ele Edit {
I

Hiot 0@trE.f Ib

Hdp

hftpsr,Mglnt'gp!gpj:nrtrcnl:rnqur'

c I l- c*st

P I E- 9-

3erch Results:

Shoring statons

lhrough

of lh qry.

@-"

Search Resulls:

showlng statons 1 trforjgh 1

ofllts

quefy.

(- "

E'

Eric Smith www.pskl.us

39

iOS4x Operating System Privacy Issues

Eh Edil ![v tr$ory @bErl6 I@b

I

Udp

C +

http3,'f,,igle.ntgp:'9F!rrrniccnfrmqu,1

P EI- Cl.pslllpPattWtt tlogdt

Hme lllomlo.d tForum tPosr FflelOrs! | SsHsolsl Strlrtlods lweb trEh Results:

Shouing sl,atims 1 throrlgJr

of s

flry

IYGU Hme

19- *

E'

Eh Edil 5e Hirory BoobD.b I@b

C I C
hfrp: wigle,q:

dd

qp: rn:in':cn[rnqun,/
I

C .ll.
tOlEtt Sm$ors
I

ccre

P i El- elLogout

Hme I O,omloid
3arch Rsults:

Fm

Pod Fle

Stab

U0lm lWeb

llpsl laoPachflfellMt

Shoting stetlons I lhrqrgtt

oltfts

query.

IYGLI llofr

@-'

Eric Smith www.pskl.us

40

iOS4x Operating System Privacy Issues

3afch Resrlts:

Shiling slations I trrorJg f

of fts qury

lficLf 8m

19. *

a'

Sa?ch Rsultl:

sholng sltofs I tfougn

I oflhts

quefy.

lf6lf

lm

@-'

a'

Eric Smith www.pskl.us

41

iOS4x Operating Sl,stem Privacy Issues

Eic Smith www.pskl.us

42

Eric J. Smith
48 Mutchler Road Danville, PA 17821
I n d u stry
Ce

(s7o) 4s2-see2
eric@pskl.us
redhat.
CERTIFIED ENGINEER

rtifi cati o n s :

. . . .

Cisco Ceftified Network Professional (CCNP)

RedHat Linux Certified Engineer (RHCE) Microsoft Certified Systems Engineer (MCSE) Ceftified Novell Engineer (CNE)

Employment History:
Assistant Director Information Security and Networking Bucknell University Lewisburg, PA
December 2OO3 to Present

www.bucknell.edu

Identified, developed, designed, and implemented creative solutions to the computer, communications technology, and information security needs of the University community. Managed our team of network engineers and student employees.
Oversaw Bucknell University's network infrastructure:

o . . . . .

Responsible for the design, installation, maintenance, and growth of the University's global data network, which consists of over 1,500 managed network devices connected by 500 strand miles of optical fiber. Managed technicians, work groups, and project teams. Designed and installed a fully-redundant network architecture, including active-active router pairs, firewall clusters, and multiple independent upstream provider links. Managed the implementation of a $416,000 Department of Education grant for the expansion of mobile services at the University. As a result of this grant, and continued support by the University, 99o/o of the University campus -- indoors and out -- is covered by a robust, fault-tolerant 802. 1 labgn wireless network. Developed, tested, deployed and assessed technologies to provide secure, seamless remote access to campus resources, including voice, video, and data. Because of the seamless connectivity, the University has been able to support and actively recruit for telecommuter positions in several key depaftments. Developed software and hardware to automatically detect and disable rogue wireless access points connected to the campus network. Served as project manager to design, develop, and deploy an IP Multicast solution for a 60+ channel subscription-based cable television system for the campus. http : //www, bucknell.edu/x961 1.xm
I

Managed the University's information security program:

. . . .
I

Designed, configured, and installed intrusion detection and prevention systems. Served as Bucknell University's senior information technology security specialist. Provided leadership for the University's IT Security Group. Prioritized security-related projects. Developed policies, standards, and best practices for the University regarding all aspects of information securty. Made recommendations to senior University administrators on matters related to information security. Served as technical lead for all information security issues on campus. Performed vulnerability and penetration testing, security analysis, and remediation.

. . . . .

Oversaw regulatory compliance (PCI) for credit card systems and transactions. Served as project lead and worked with external auditors, Authored software to automate management of virus-infected client machines (Quarantine) and Internet bandwidth abusers (RBZ). http://www.bucknell.edu/x9973.xm| Also featured in a SecurityFocus afticle: http://www.theregister.co.uk/2OO4/O9/L6/academia_battles/ Worked with the FBI, incidents.org, and representatives from other universities in the constant battle against botnets. Performed security analysis -- physical and logical -- for the proposed infrastructure components of the University's One-Card implementation. Managed handling of copyright issues stemming from illegal downloading of music and movies. Coordinated with University Counsel's offce in response to cease and desist letters from
RIAA/MPAA.

Paft

nerships and collaborations

. . . . . . .

Member of the Penn-REN Technical Advisory Committee (PTAC), which serves the KINBER board. PTAC is focused on configuration, deployment, and usability issues of the statewide high-speed

research network. Served on several university committees including the Information Services & Resources Steering Group. Supervised the work of other staff members as it related to supporting the network infrastructure and information security projects. Led several organization-wide discussions and presentations on issues related to security. Provided training and mentoring for network technicians, system administrators, and security group members. Aggressively negotiated with information technology vendors including Cisco, Noftel, AT&T, NEC, Liebert, and APC to maximize the effectiveness of University budgets. Worked with the local community. Member of the SEDA Council of Governments Broadband Advisory Group, tasked with the goal of researching and providing world-class broadband solutions to the members of our rural community. http://www.seda=cog.org

Network and Systems Engineer Carole Hochman Designs, Inc. New York, NY

August 1998 to December 2OO3 www.carolehochman.com

Responsible for the operation and maintenance of all information systems for a Madison Avenue fashion designer. Supported domestic offices and overseas factories in Turkey, Egypt, Hong Kong and China. Managed technicians and project teams.

. . .

Responsible for network security policies, anti-virus systems and firewall configurations. Designed and installed a Windows Active Directory system in multiple states to facilitate communications between offices and between users of different desktop platforms. Responsible for telecommunications and wireless systems throughout global offices. Maintained and

. . . . o
2

expanded the enterprise-wide telephone and voicemail systems. Installed, configured and maintained leased-line, VPN, dial-up and extranet connectivity between all offices throughout the global enterprise. Developed and deployed a mobile infrastructure with 100o/o access to corporate network resources. Designed and installed an 802.11b system which enabled warehouse staff to employ wearable Ethernet terminals. This system permits real-time, wireless barcode scanning of data directly to the ERP system. Provided network support and interoperability between AS/4OO, W2K, and Unix. Developed mechanisms for the publishing of AS/400 data to Unix and W2K file and web servers. Managed departmental budgeting and purchasing. Coded HTML, CGI and ASP for Internet and Intranet websites. Provided usersupport and training; developed training materials and programs. Created procedures manual and methods for systems and operations documentation.

Network Engineer Computer Service Partners Raleigh, NC

August 1997 to August 1998 www.cspinc.com

Provided on-site network support at Fortune 500 companies throughout Research Triangle Park.

. . .

Responsible for installation and maintenance of local and wide area networks. Provided desktop support and installation of hardware and software.

Evaluated customer networks and provided solutions for network optimization, security, fault tolerance, and disaster recovery.

Assistant Network Administrator Bloomsburg University Bloomsburg, PA

January 1994 to August 1996 www.bloomu.edu

. . .

Supported the universityt academic computing network, consisting of faculty offices, classrooms, and student computer labs. Supervised the installation of network applications to LAN Manager and Windows NT Servers. Evaluated and documented software for classroom use and assisted faculty with the incorporation of Internet technologies into their curriculum.

Education:

. .

Bloomsburg University. Bloomsburg, PA. B.S. in Chemistry; minor in Computer Science. Graduated GPA 3.91 overall; 4.O in Chemistry and Computer Science. North Carolina State University. Raleigh, NC. Completed 15 hours of graduate work in Chemistry. GPA 4.0.

with Honors in August 1996.

Information Security and Networking-Related Presentations and Research: . "Customized Threat Analysis and Reporting". Webinar, Scheduled for October 17,2OLz . "Integration of Disparate User ldentification Sources into your IDS/IPS." Palo Alto Users' Group Meeting, Malvern, PA. Scheduled for December tL,2Ot2. . "iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique
Device ldentifiers (UDIDs)". October 2010. This paper describes the use and abuse of the iOS Unique Device ID (UDID), which was shown to be actively used by adveftisers and application developers to track the application use of individual users. As a response to this and other similar research projects, Apple announced the depreciation of the UDID with their release of iOS5. I was interviewed by a number of news organizations, including Ars Technica, MacWorld, Engadget, Slashdot, The Register, and others. http://arstechnica.com/apple/20L0l10/iphone-user-privacy-

at- risk-from-a pps-that-transmit-persona I -i nfo/

. . .

"Rogue Season: Successful Hunting Strategies for the Network Administrator". Nercomp, 2008, Providence, RI. Rogue access points (APs), those installed by unauthorized users, are a security, usability, and liability concern for all university network administrators. In this talk, we will present several time-saving methods of rogue AP detection that do not require expensive commercial applications or unwieldy directional antennae. Slides at http: //net.educause.ed u/ir/library / pdflNCP08095. pdf "Introduction to Streaming Video." Mid-Atlantic Digital Library Conference, 2008. "Hardware and Honeybees." Presented at the Central Pennsylvania Open Source Conference (CPOSC), 2009. Discussed how internet-connected technologies, including cameras and sensors, can be used by Pennsylvania's small farmers to increase the health and yields of their operations. "Streaming Multimedia for Digital Libraries and IRs such as DSpace: An Introduction". NITLE, 2008. This presentation addressed the benefits of using streaming servers, examined case studies, and provided an overview of the technologies and processes involved in handling large multimedia files via streaming servers.

. .

. . . . .

"Medical ldentity Theft." Presentation at the DefCon security conference. This research focused on common security issues at medical facilities and the feasibility of large-scale attacks aimed at gathering patient data for the purposes of committing identity theft and insurance fraud. August 2008. http://www.defcon.org/images/defcon-76/dc16-presentations/defcon-16-smith-dardan.pdf "Botnets at Bucknell." Presentation for Information Services & Resources Staff, Bucknell University, Lewisburg, PA. Presentation provided an overview of botnets, how the Bucknell community has been affected by them in the recent past, and the security measures taken to protect Bucknell and the internet at large. The audience included technical staff members, non-technical staff, and library/technolqgy administrators. May 3, 2OO7. "The $60 VPN Tunnel." Fresentation to the Bucknell University community regarding the methods currently in production for creation of IPSec-based L,AN-to-LAN tunnels for remote offices and telecommuters. April 2OO7. "VoIP, Vonage, and Why I Hate Asterisk." Shmoocon 2007, Washington, DC. This presentation examined the potential business and home uses of Asterisk, an open source telephony platform. Also addressed were security issues inherent to most VoIP deployments. http ://www.shmoocon.orglspeakers. html. "Wireless LAN Security." Presentationfor 2OO7Information Security Week, Bucknell University, Lewisburg, PA. March 2OO7. "Countering Attacks at Layer Two." Shmoocon 2006, Washington, DC. Focused on often-ignored security issues that affect large campus networks. Video and slides from the presentation are availabl e at http : //www. sh mooc on.org/ 2006/presentations. htm l. Cisco Security Research: Discovered a security flaw in the Cisco Aironet IOS software. A vulnerability exists in Cisco Aironet Wireless Access Points (AP) running IOS which may allow a malicious user to send a crafted attack via IP address Resolution Protocol (ARP) to the Access point which will cause the device to stop passing traffic and/or drop user connections. Repeated exploitation of ths vulnerability will create a sustained DoS (denial of service). See Document ID: 687 t5/ Advisory ID: cisco-sa-20060112-wireless for more details. http://www.cisco.com/warp/public/707/cisco-sa-20060112-wireless,shtml.2006. "Bucknell's Resnet Quarantine." Presentation to the University community to discuss the automated systems which are in place to deal with worm, virus, and botnet-infected machines on the University network. January 2005.

Awards:
DefCon 12 (2004), DefCon 13 (2005), and Defcon L4 (2O06):

Winner of the Wardriving Contest at the nation's largest computer security conference. The Wardriving Contest pits teams from around the world against each other to determine who can best solve a given network security problem. The winner of this contest is awarded the prestigious "Black Badge", which allows the holder free admittance for life to all future DefCon conferences. http://www.defcon.org.

Other Skills:
Chemist. Experience in organic and inorganic synthesis, safe laboratory practices, computational
a a

methods (Gaussian, GAMESS, HyperChem, MOPAC, and Spartan), powder X-ray diffraction, fluorometry, AA, FTIR, GC, GC-MS, UV/VIS HPLC, and NMR, Eastern Apiculture Society Certified Master Beekeeper (University of Vermont,2OL2). Electrician. Experience in commercial and residential service (1990-1994).

Professiona

I References:

Available on request.