Penetration Testing for iPhone Applications- Part 2
By Satish B.
In the first part of this article, we discussed the iPhone application traffic analysis. In this part, we will take a look at the privacy issues and the application local data storage. Privacy issues Every iPhone has an associated unique device Identifier derived from a set of hardware attributes called UDID. UDID is burned into the device and one cannot remove or change it. However, it can be spoofed with the help of tools like UDID Faker. UDID of the latest iPhone is computed with the formula given below – UDID = SHA1(Serial Number + ECID + LOWERCASE (WiFi Address) + LOWERCASE(Bluetooth Address)) UDID is exposed to application developers through an API which would allow them to access the UDID of an iPhone without requiring the device owner’s permission. The code snippet shown below is used to collect the UDID of a device, later which can used to track the user’s behavior