New Zealand Hacker
Aldo Cortesi (@cortesi
) published a great article showing yet another vulnerability associated with mobile devices and the data they share: De-anonymizing Apple UDIDs with OpenFeint
. Using a tool he wrote himself that executes a man-in-the-middle attack against SSL
) encrypted traffic, he was able to deconstruct traffic from his Apple iPhone to various application providers. For his write up, he chose OpenFeint
which boasts a 75M user base.
Man-in-the-Middle Attack: Alice and Bob believe they have a secure connection; however, Mallory has injected herself into the stream and can view the conversation. For the purposes of this post: Alice is your iPhone, Mallory is Aldo, and Bob is OpenFeint's servers. Photo from Wikipedia.
Aldo set out to examine the Application Programming Interfaces (API
) and the data that was passed back and forth, specifically concentrating on the Unique Device Identifier (UDID) of an Apple device and how it could be associated (or linkable) to other identifying data sets. His results were not wholly unsurprising -- given the increased inter-connectivity of the world more and more data sets are being linked together. Aldo demonstrated a linkability between UDID and GPS coordinates, exposing a geolocation privacy risk
to the person who carries the device. He also demonstrated a linkability to facebook profiles and profile pictures. Legitimate privacy risks?
OpenFeint users had to opt-in to the connection to facebook -- they, ideally, should have known what data could be transferred back and forth. OpenFeint only serves up an image through the Facebook Content Distribution Network (CDN
); however, the CDN embeds the Facebook profile ID into the image URL thus giving the information needed to link back to a profile & a name.
The GPS data linkage is simply annoying. Why does a game provider need GPS data? Why does it need to store it and why is returned through API calls?
Well the only person that can see this data is me...right? Wrong.
The largest risk is that OpenFeint is returning all of this data unauthenticated
. Anyone can query, based on a UDID, and get this information back. That is a huge privacy risk
, as it exposes a user's information to any Mallory on the internet.
More and more data is being generated every day. New platforms, services, and communication methods are being developed. As companies strive to capture market share they will most likely neglect stupidly trivial things -- like authentication(!) -- in order to get to market before their competition. This won't stop, but there will always be a hacker in the background to keep the company honest in how they handle our data. Kudos.