iOS Version – what info does it reveal?

Scrolling through Twitter this evening and I came across this.

It reminded me of when the NSA release Ghridra, but from the people who brought us Mulder and Scully. I love Mulder and Scully.

Having been playing around to see who apps are talking to this seemed like a good one.

I downloaded the app. It did not ask for permission to use anything on my phone. Before I could use it, I needed to agree to their rather simple privacy statement (there was also a health statement that was a bit longer above).

So, according to this info is only stored on my phone and not transmitted to, or saved by, the F B I (say it like Mulder).

They also wanted me to tell them my sex. I could change that at any time.

Then I tried to do the sit up challenge. Okay, I moved it like a shake weight in my arm, but did the challenge to see what happened.

This was a very limited test, but the app is rather limited, so I stopped there.

What did I find?

First, the app did talk. It didn’t talk to the FBI. It did talk to the folks the FBI hired out to make the app.

So, what did it send this oh so trusting app developer who provide stats for all tiers of the apps?

Really, not that much exciting stuff. It did use a hardware identifier that I can not identify from my device, but it did use this in each post to the developer.

{
    "os": {
      "name": "ios",
      "version": "13.3.1"
    },
    "hardware": {
      "id": "A444626E-0AC8-4951-B70C-FD6E6240967F",
      "name": "iPhone9,1",
      "arch": "arm64"
    }

It also noted when I started the situps test, but nothing really more exciting than that.

    "app": "bd1eca37-c244-4ebf-9999-50dfa4fc62e7",
    "id": "1D42EEBB-5E74-4D66-A79F-A653AD407E3B",
    "event": "iphone.Sit-Ups Test Started.",
    "data": {
      "sdk_version": "8.0.2",
      "app_name": "FitTest",
      "timezone": -300,
      "app_id": "com.fbi.fittest"
    },
    "hardware": {
      "id": "A444626E-0AC8-4951-B70C-FD6E6240967F",
      "name": "iPhone9,1",
      "arch": "arm64"
    },

It didn’t send my chosen sex at any time. It didn’t even send how awesome I was when I finished my “situps”. It just moved onto the next screen I looked at and did this for each screen.

I didn’t leave it running in the background and keep seeing what was happening. I didn’t do any big isolation tests and didn’t install on an android device to see what happens, so this really isn’t very complete.

What I do know though is my daily yoga app that I love and pay for talks to more places just when I start it up, then this app did when I gave it a quick run though.

Would I use the app? No. Out of privacy concerns? No.

How did I catch the data? That’s here.

Thanks!

I’m always interested in where my data is going. Who is using it? What data is being collected?

I use my phone a lot more then I use my (shiny new) computer so it made sense for me to see what data that is spilling. I also use an iPhone, so this can surely be ported to Android. I just don’t have the resources to do that.

What’s my goal?

  • I want to see what data my apps are sending and to where.
  • I want to be able to do this with tools I have on hand.

What do I need to achieve this goal?

First off. I do not need to buy an ASA on craigslist so I can monitor all the traffic. Yes, it’s fun. Yes it’s cool to see. But for my house, it’s overload and we have adequate heating. So, let’s not do that again. Okay, now that’s out of the way.

  • an iDevice with an app we want to see what it’s doing
  • a proxy
    • We will use Zap. Zap comes on Kali, or download it to your favorite platform.
  • the iDevice configured to use the proxy and accept the certificate

The Setup

We need to set up Zap to proxy our data as well as capture SSL traffic since most apps use https to make their calls.

Under the Tools –> Options –> Local Proxy let’s make sure the additional proxy is set to all (0.0.0.0) and a different port then the localhost port. I have it set to 8082

additional proxies to 0.0.0.0:8082

While in the options, let’s choose the Dynamic SSL Certificates and save that to the computer. We will need this in a few.

With this, we will be able to use apps and see the data being passed.

Device Setup

To get an iDevice to trust a cert we need to load it on the device and make some changes. The good thing is they don’t make this dead simple that it can happen by accident.

I will fire up Apple Configurator 2 then select File –> New Profile.

I will give it a name and an identifier.

Next I will give it the cert we made with Zap. This cert won’t be trusted, and that’s okay. We will take care of that in a bit.

Leave everything else as is and save it. It will save as a Configuration Profile file.

We are getting close to the fun part.

Transfer the file to the iDevice. I used AirDrop after emailing it to myself.

If you can’t AirDrop it, go for email or put it in Dropbox. When you get the file it should prompt you to install the profile.

Choose the Profile Downloaded

Install the Profile. It will warn you a few times. Read through the more details to see what’s happening. Always a good idea when following directions from the Internet.

You will get to the profile being installed. Click Done.

Trust

Now we need to trust the certificate. Just because it’s there, doesn’t mean we trust it. Navigate to the About Section, then scroll to the bottom to get the Certificate Trust Settings.

Enable the certificate that was presented and choose to continue.

Setting the Proxy

For all of this to work, we need to set the proxy for the network we are on.

Open the settings for the Wifi network. **This is specific to the network you are on. It will not proxy when on cellular or at your friends house or Starbucks.

It’s here that we set the proxy to the Zap server and port.

Click Save and we are ready to look at the data.

Viewing the data

Head on back to Zap and open up and app to see where the data is flowing.

One of the things I really like about Zap is that it groups the data by sites, so I can look to see what data is going where.

We can see we are getting https traffic and can decrypt the traffic just from woot here. We can see domains, requests, and responses.

Zap will let you manipulate this data to see what happens. That is for someone else’s blog post today.

Added bonus is seeing all the places that the app is sharing your data with and setting up a Pi-hole server to get rid of all that sharing your favorite weather app does.

Cleanup

We don’t always want our data going through the proxy. Some places are more finicky than others and will give weird results, so when done, always take the time to cleanup and undo the proxy settings and disable the trust in your certificate.

These can be turned back later when doing some more app reviews.

For a bit I was writing down the tools I had been working with and making. And then my blog blew up. Or more literally locked up and I lost the data because it was all on a dev machine that I didn’t care that much about.

I didn’t really stop working on things, but didn’t write much about it.

Then yesterday I had an idea. It wasn’t an original idea. It was really a how can I make that so I can use it and not need to install more software.

I came across this tool in a tweet. https://github.com/hakluke/hakcheckurl Written in Go, it checks on URLs, looks like it spiders and gets status codes for the URLs. Cool I thought. Go I thought.

Can I do it in python (I thought)? I played around. I looked around. I really didn’t want to rewrite a crawler. Lazy I know, but it’s my project and time.

New Direction

Sites have places they don’t want crawled. They put these places in a file in hopes that crawlers will respect this and not look there.

Most of these files/folders will be benign, style folders, images taken out of context, but some can help people looking for vulnerabilities out.

So, why not work out a way to take a look at them solo or in batches of sites?

talkToRobots

Or as Gabe calls it, Skynet. It’s available at my github repo.

talking to a robot
https://github.com/m0nkeyplay/talkToRobots

So, what can it do?

Right now it’s pretty simple. Choose from one site or provide a list of sites and we will go check if they have a robots.txt file and log that data for review.

I’m hoping to add the ability to switch between http and https if one doesn’t show results soon for a site. The thought of piping the disallows to be followed and see what’s there has also crept into my mind.

Download it. Give it a spin. Give it a whirl. Please help me improve it.

When I was my sons age we heard about the horrors of Vietnam.  It was odd.  It was abstract.  I was a child.

I grew a bit and was then afraid of a nuclear war.  We were told there was a real chance.  99 red balloons.

Some lights shone through.  I remember Genesis and their promises with the Land of Confusion.  I remember Reagan yelling at Russia.

Shitty things were happening at home.  I spent some teenage years in the Midwest.

I went to see Neil Young and Crazy Horse at the onset of Desert Storm with my foster brothers and a teacher in my alternative high school.

Finish grad school and nurse a hangover from my best friends wedding as I make my way back to work on September 11.

Leave work that day and there are tanks on the corners around every Metro station.

Twenty Fucking Years later – we are still there.

Twenty Fucking Years later my kid is my age when I heard about the horrors of Vietnam.  They have to be as confused as I was.  Fuck, I am still confused.

Forty years later and I am still a pacifist.  There is always a better way.

peace

This year I have been able to go to a bunch of conferences.  There was BRRCon, and DefCon and even Tenable Edge (vendor con where I can’t fin the link to anymore).  This week – BSidesMSP.

2019-10-02 07.27.46-1

I wrote about all of the other cons, pro and con in my previous, non backed up, lost to too much futzing around dev blog.  Because that’s what dev blogs are for.

The big difference between the other three and this one is, this time I didn’t just attend.  I was a first time con speaker and a volunteer at the DC612 lock pick table.  I got to do it all!

2019-09-26 15.03.18

I was given a cool Bowling/Gas Station Attendant shirt for speaking.  Also, I was an attendee.

The organizer and the event volunteers were amazing.  Being there the night before to help setup was great.  I got to meet people who were working and learn the layout of the land.

Day one was keynotes, then I was manning the lock pick table.  Before I got to the table I was stopped by a gentleman while I was walking.  He called my name.  I didn’t know him.  Then I realized my name was on my shirt.  Damn, OSINT!

Turns out he works for the vendor I was going to talk smack speak about the next day.  We communicated on the community forums and he was able to help out with some script writing I had been working on a while back.  It was great!  I got to meet someone from the internet and it wasn’t creepy like it was in the early 00s.

We hung out.  We picked some locks.  He said he’d be at the talk the next day and not heckle Gabe or me.  I appreciated that, and was happy we’d have at least one person in the audience.

I was able to get to Harvesting Botnets for Unusual Data where I got a great high level overview of what researchers are doing to follow the information and how these botnets work as a network.

Day 1 Ends – say good bye to new friends and hit Minneapolis traffic.  Ah, so glad I work from home.

Day 2 I was able to attend more presentations and the CTF started too.  The lock pick table was a part of the CTF and I lent my magic box from DefCon as a challenge.

At BrrCon I saw an excellent talk by Yolonda Smith on working with developers.  To totally break the talk down to one sentence, it was about communication.

Day 2 brought Can You Hear Me?  presented by Jessica Schalz, again about communication in what we do.

I’m noticing a theme here.  In our world where people talk over twitter and there is so much information, simple communication can go a long way. There was a great talk about Top Gun from Jason Blanchard at Black Hills Info Security.  Or was it about persuading people?  I think that’s what it was about.

Kat did an awesome presentation showing us all how secure peoples’ computers in the cloud are.

 

Then it was time for Gabe and I.

Selection_104

I was happily surprised at the number of people in the room who were using Nessus.  It made me hopeful that the work we had done can help or give some people ideas on how to work around all the issues we ran into.  Hopefully people will find the tools helpful.

The crowd was smaller then the other talks I went to.  The crowd was also much more homogeneous.  Most of the crowd looked like me.  Maybe with some more hair, but looked like me.  I mention this because this isn’t what I saw when I was walking the con.  Here and at BrrCon there was an array of people and viewpoints, just not at my talk.

I had to skip out early right after my talk when my kid got sick so I didn’t get to after party but like BrrCon and unlike DefCon I walked away from this with a really good feeling about the people and the industry I chose to enter.

People want to learn.  People want to make things good.  People want to include people. People want people to succeed.

I can keep supporting that!

 

 

So, I went to Defcon27 – and made a blog post about it. Then I did something to  the web site that blew away the backend database so I couldn’t see it anymore.   Then I made it worse, and decided to start up over here on where I don’t need to back things up.

That’s the short story of it.

All old posts from themonkeyplayground.dev – gone…