iOS Version – what info does it reveal?

Scrolling through Twitter this evening and I came across this.

It reminded me of when the NSA release Ghridra, but from the people who brought us Mulder and Scully. I love Mulder and Scully.

Having been playing around to see who apps are talking to this seemed like a good one.

I downloaded the app. It did not ask for permission to use anything on my phone. Before I could use it, I needed to agree to their rather simple privacy statement (there was also a health statement that was a bit longer above).

So, according to this info is only stored on my phone and not transmitted to, or saved by, the F B I (say it like Mulder).

They also wanted me to tell them my sex. I could change that at any time.

Then I tried to do the sit up challenge. Okay, I moved it like a shake weight in my arm, but did the challenge to see what happened.

This was a very limited test, but the app is rather limited, so I stopped there.

What did I find?

First, the app did talk. It didn’t talk to the FBI. It did talk to the folks the FBI hired out to make the app.

So, what did it send this oh so trusting app developer who provide stats for all tiers of the apps?

Really, not that much exciting stuff. It did use a hardware identifier that I can not identify from my device, but it did use this in each post to the developer.

{
    "os": {
      "name": "ios",
      "version": "13.3.1"
    },
    "hardware": {
      "id": "A444626E-0AC8-4951-B70C-FD6E6240967F",
      "name": "iPhone9,1",
      "arch": "arm64"
    }

It also noted when I started the situps test, but nothing really more exciting than that.

    "app": "bd1eca37-c244-4ebf-9999-50dfa4fc62e7",
    "id": "1D42EEBB-5E74-4D66-A79F-A653AD407E3B",
    "event": "iphone.Sit-Ups Test Started.",
    "data": {
      "sdk_version": "8.0.2",
      "app_name": "FitTest",
      "timezone": -300,
      "app_id": "com.fbi.fittest"
    },
    "hardware": {
      "id": "A444626E-0AC8-4951-B70C-FD6E6240967F",
      "name": "iPhone9,1",
      "arch": "arm64"
    },

It didn’t send my chosen sex at any time. It didn’t even send how awesome I was when I finished my “situps”. It just moved onto the next screen I looked at and did this for each screen.

I didn’t leave it running in the background and keep seeing what was happening. I didn’t do any big isolation tests and didn’t install on an android device to see what happens, so this really isn’t very complete.

What I do know though is my daily yoga app that I love and pay for talks to more places just when I start it up, then this app did when I gave it a quick run though.

Would I use the app? No. Out of privacy concerns? No.

How did I catch the data? That’s here.

Thanks!