Long time not see guys, this time I will do a little study on the UDID leak from Antisec (Leak on pastebin).


Introduction

During this post , I will assume that the sample provided by Antisec is representative of the whole file, if it is not the case some conclusions may be wrong. More over, I take the hypothesis that this extract is coming from only one application and not from several ones.

This huge text file contains 1 000 001 lines. Each line is a device with the following info (comma separated):

  • UDID (What Is An iPhone UDID?)
  • APNS (token for sending push notifications)
  • Device Name
  • Device Type (iPad, iPhone, iPod touch)

Each field can be of interest so I will describe them.


UDID

First it is important to notice than some UDID are listed several times. If we consider unique UDID only, we are facing 985 117 different devices. We can probably explain this by having pre-configured iPad (some duplicate appears as "Admin" before other name).

I will not disclose more for now on the UDID as I am still working on it. More details in a next post.


APNS tokens

The APNS tokens are used to send notifications to a device. But knowing only the token is not enough so this information is not very valuable.


Device Type

First it is important to note that several lines are bogus, it seems that when the Device Name contains a comma the Device Type is missing or even worse the Device Name field is not complete. As comma is used as a separator for the fields, it mays have corrupted the extract but only Antisec knows.

More over sometimes the Device Type is only containing a version (4.3.3, 5.0.1, etc).

Finally, regarding Device Type, we "only" have 998 828 correct lines.

The device repartition is (considering only good entries):

  • 589 720 iPad (59% of correct lines)
  • 345 384 iPhone (35 % of correct lines)
  • 63 724 iPod touch (6% of correct lines)

This seems to indicate that the information is coming from an application that is well established on the iPad.


Device Name

The Device Name contains what the user sets up. By default the Device Name is "Name_Of_The_User's iPad/iPhone/iPod touch" but a lot of users put other info.

Beyond providing the name of the owner for a vast majority of the lines we have:

  • around 100 people putting a phone number in case of lost device, mostly US phone numbers, but some look french and other with international code (starting with 00)
  • 33 people identifying themselves has medicine doctor ("M.D.") with their name (and 20 more if we consider "MD")
  • around 1 200 people using name with Dr., some are not real ("Dr. Jekyll" seriously ?) but most looks legit
  • 13 PhD, maybe as in France PhD student are too poor to offer iDevices ;)
  • 581 emails addresses (116 gmail, 101 hotmail, 93 yahoo, 19 me.com, 7 from .edu domains and only two .fr ones)
  • 12 339 devices registered to an administrator (670 HP_Administrator and 112 de Compaq_Administrator, maybe automatically set by Mobile Device Management tools). We also have 270 "administrateur" (the french flavor) (and 19 HP_Administrateur, no compaq in France ? or not with a localized name ?).


Conclusion

This was a quick study of the leak (and I am still looking into a few things, particularly the UDID).

Feel free to comment !

Update: APNS tokens appears not to be unique, when sorting we only have 992 971 unique APNS tokens. UDID can be use for a nasty thing: installing ad-hoc apps