Friday, June 3, 2011

iPhone privacy risk to the fault of the super-aggregators

A database of 75 million iPhone users, each identified by the serial number of your iPhone by (UDID). But above all, many of them link to your Facebook account, so that the code of your smartphone, virtually anonymous, can be traced back to the identity of its owner. All of this available to a single application developer, but for a long period of time, accessible to anyone via the Internet.

The new privacy risk for iPhone users (and iPad) has a rather technical name, as well as obscure: "deanonimizzazione dell'UDID. To explain, in fact, just one question: what would happen if an iPhone developer, or one of the companies that understand data usage of the app, could identify users who use applications, creating a database with personal data of each? All iPhone, as is known only to experts, relies on a unique code (UDID) that, when we use a network app, it can be recorded and posted online or forwarded to third parties without our permission.

"A survey - said on his blog Aldo Cortesi, security expert Nullcube New Zealand - shows that 68% of the mail app silently UDID to the server on the Internet. This is often accompanied by information on how, when and where device is used. The most common destination for this traffic is Apple, followed by network analysis and the Flurry OpenFeint social gaming companies.

"" These companies - continues Cortesi - are super-aggregator of information of users connected to UDID, since many use the app their software. Behind the big three, there are thousands of sites for developers, ad servers and small analyst firm. Luck is the UDID phone is not connected to his real identity.

Was possible to "deanonimizzarlo" would run a serious privacy problem. Apple is aware of it, and explicitly prohibits developers to bridge the public and UDID user's account. "That is, until a few weeks ago. Then, we ask Aldo Cortesi, what happened?" I discovered that you can connect a UDID the real identity of a user using OpenFeint.

Specifically, using the serial code un'iPhone, it is possible to trace the user's Facebook profile in about 10% of cases. Beyond that, you can get the GPS position in 30% of cases, and other information potentially identified in 20% of cases. When you consider that OpenFeint has 75 million users, this is a problem.

"How did you go back to this data?" My job is to test the security of software and electronic devices. In this context, I wrote "mitmproxy", a software that allows me to intercept web traffic encrypted. Mitmproxy I used on my iPhone out of curiosity. And the problem with OpenFeint was immediately obvious: five minutes after I knew I had found a major flaw.

I mitmproxy made available free to spread awareness among developers of the risk. "So the risk is that these data could be intercepted and used for profiling. OpenFeint But what kind of data collection?" Basically, OpenFeint collects information on video games, what games and when we play, in addition to data on scores and goals.

But if you authorize them, even store your Facebook and Twitter, and the GPS position. You can also use their platform to chat, to connect to friends and to send messages, items that provide additional personal information. "Potentially, people could access this data?" When I found the problem, anyone with a browser could access the information, only having the UDID device.

Later, he corrected the flaw OpenFeint main, but still with a browser you can get information like the last game played and the user name. "What kind of privacy risks this involves data traffic?" The issue is that UDID the identifier is used as an anonymous user. This means that hundreds of companies - including advertisers, analysts and individual developers - all'UDID aggregate related information in many different databases.

For example, the second largest aggregator of information UDID after Apple is the company's mobile Flurry analysis. In the case of apps that use its platform, Flurry can detect a huge amount of data when users start to play, when they stop, as they do in the game. The most negative scenario would occur if a database such as Flurry could be related to the real identity of users using a vulnerability such as UDID OpenFeint.

Apple is aware of this potential privacy risk? "Apple is aware of the risk, in particular the problem OpenFeint. So far, however, did nothing to improve the situation." According to other analysts, like Charlie Miller, the question-UDID is not so worrying. Also because it's necessary to sacrifice some privacy to get the benefits of Network Connections in the era of the smartphone that you believe your privacy is dead? "Privacy is dead in the era of the smartphone only if we let it die.

UDID of the problem is complicated to explain, so it is difficult to alert users, prompting them to protest the company to resolve the issue."

No comments:

Post a Comment