Gave a bribe? Catch the top ten. Analyzing the Bribr iPhone App
Bribr is an independent project to collect statistics on bribes in Russia received from citizens. Users themselves indicate the size of the bribe by clicking on the “I gave a bribe” button and filling out the form. According to the main page of the application, from September 24, 2012, users gave bribes for 1,429,550 rubles. These actions for giving a bribe are regulated by Article 291 of the Criminal Code of the Russian Federation and are punished seriously (up to 12 years imprisonment). Service guarantees the anonymity of the information. But is it really?
After reading the article “Gave a bribe - check in” on the main page of the Big City site, I was wondering how truly anonymous the information is.
What needs to be done to anonymously confess to giving a bribe?
')
These four simple actions can lead you to jail.
What you need to check:
Macbook, Charles proxy app for Mac, iPad and iPhone, Bribr app
1. In Charles
Proxy-> Proxy Settings
Enable SSL proxying and specify the address of the service api.bribr.org
Find out the IP address in the terminal and specify it in the proxy settings in the iPad
2. On the iPad, specify the Proxy
Run the application Bribr.
3. In Charles we look at the log and what we see. When launching the application and requesting statistics on the number of bribes, an unknown device identifier and model are transmitted on the api.bribr.org website.
The most interesting are the following query parameters:
X-api-key the-dark-side-of-the-moon
X-Device-ID 4939a528a47f7237dd7b26cd9d1f3c9396f76896
X-Device-Model iPad
The device ID does not match the UDID, OpenUDID, and ODIN-1, and is probably a closed hash by UDID, judging by the 40 numerical sequence.
On the iPhone, the situation is the same, but the Device-ID and Device-Model are different.
I invite you to further research this anonymous API.
Conclusion:
When your device gets into the zone of interest of law enforcement, then, sending a test bribe from your phone, you can compare with what you sent earlier. Here is such anonymity. There is no anonymity.
UPD:
1) The first time the article was deleted by the administration after mentioning the company of the developer, the name of the company I deleted
2) to research the X-Device-ID, here is the UDID of my iPad 3fd35bfd60011429307e4fca1ee52d9c68735617
After reading the article “Gave a bribe - check in” on the main page of the Big City site, I was wondering how truly anonymous the information is.
What needs to be done to anonymously confess to giving a bribe?
')
- Install the free app from the Appstore
- Press the button "I gave a bribe" with an exclamation mark
- Fill in the form “How much, to whom, for what, on the map”. On this screen there is an inscription that "all information is completely anonymous"
- Click the "Submit" button.
These four simple actions can lead you to jail.
What you need to check:
Macbook, Charles proxy app for Mac, iPad and iPhone, Bribr app
1. In Charles
Proxy-> Proxy Settings
Enable SSL proxying and specify the address of the service api.bribr.org
Find out the IP address in the terminal and specify it in the proxy settings in the iPad
2. On the iPad, specify the Proxy
Run the application Bribr.
3. In Charles we look at the log and what we see. When launching the application and requesting statistics on the number of bribes, an unknown device identifier and model are transmitted on the api.bribr.org website.
The most interesting are the following query parameters:
X-api-key the-dark-side-of-the-moon
X-Device-ID 4939a528a47f7237dd7b26cd9d1f3c9396f76896
X-Device-Model iPad
The device ID does not match the UDID, OpenUDID, and ODIN-1, and is probably a closed hash by UDID, judging by the 40 numerical sequence.
On the iPhone, the situation is the same, but the Device-ID and Device-Model are different.
I invite you to further research this anonymous API.
Conclusion:
When your device gets into the zone of interest of law enforcement, then, sending a test bribe from your phone, you can compare with what you sent earlier. Here is such anonymity. There is no anonymity.
UPD:
1) The first time the article was deleted by the administration after mentioning the company of the developer, the name of the company I deleted
2) to research the X-Device-ID, here is the UDID of my iPad 3fd35bfd60011429307e4fca1ee52d9c68735617
Source: https://habr.com/ru/post/154273/
All Articles