Penetration testing part2 English | Size: 2.47 GB Category: HACKING
Every iPhone has an associated unique device Identifier derived from a set of hardware attributes called UDID. UDID is burned into the device and one cannot remove or change it. However, it can be spoofed with the help of tools like UDID Faker. UDID of the latest iPhone is computed with the formula given below - UDID = SHA1(Serial Number + ECID + LOWERCASE (WiFi Address) + LOWERCASE(Bluetooth Address)) UDID of the latest iPhone is computed with the formula given below - UDID = SHA1(Serial Number + ECID + LOWERCASE (WiFi Address) + LOWERCASE(Bluetooth Address))
UDID is exposed to application developers through an API which would allow them to access the UDID of an iPhone without requiring the device owner's permission. The code snippet shown below is used to collect the UDID of a device, later which can used to track the user's behavior. 1
NSString *uniqueIdentifier = [device uniqueIdentifier] Current research shows that, with the help of UDID, it is possible to observe the user's browsing patterns and trace out the user's geo location. As it is possible to locate the user's exact location with the help of a device UDID, it became a big privacy concern. More possible attacks are documented in Eric Smith-iPhone application privacy issues whitepaper. Eric's research shows that 68% of applications silently send UDIDs to the servers on the internet. A perfect example of a serious privacy security breach is social gaming network Openfient.