I spy on iPhone

I decided to investigate which URLs the iPhone accesses when you use the various embedded applications. To capture the requests I simply setup a Squid proxy on the same local WiFi network and configured the iPhone to proxy all network connections through it.

Below are the results:

Safari – Yahoo! Search:

GET http://m.yahoo.com/apple/onesearch?pintl=en_gb&p=foobar&pcarrier=O2+-+UK&pmcc=234&pmnc=10

(note the carrier name and network code are included in the search request)

Safari – Google Search:

GET http://www.google.co.uk/search?q=foobar&ie=UTF-8&oe=UTF-8&client=safari

Yahoo! Weather:

POST http://iphone-wu.apple.com/dgw?imei=REMOVED&apptype=weather

Yahoo! Stocks:

POST http://iphone-wu.apple.com/dgw?imei=REMOVED&apptype=finance

Google Maps:

POST http://iphone-wu.apple.com/glm/mmap
CONNECT iphone-maps.apple.com:443

iTunes Store:

GET http://phobos.apple.com/bag.xml
GET http://ax.phobos.apple.com.edgesuite.net/WebObjects/MZStore.woa/wa/storeFront
GET http://ax.phobos.apple.com.edgesuite.net/WebObjects/MZStore.woa/wa/viewTopTensList


GET http://iphone-wu.apple.com/feeds/standardfeeds/most_viewed?start-index=1&max-results=25&format=2,3&client=ytapi-apple-iphone&time=all_time
GET http://iphone-wu.apple.com/feeds/standardfeeds/recently_featured?start-index=1&max-results=25&format=2,3&client=ytapi-apple-iphone
GET http://img.youtube.com/vi/
CONNECT http://www.google.com:443

It is interesting to note that most traffic is proxied via Apple’s servers – anyone say single point of failure? The reference to IMEI in the Weather and Stocks requests has been discussed at length in other forums before. This is a misnomer, the reference is believed to be just a GUID.

What is more interesting (or worrying!) is the mysterious encrypted connection to http://www.google.com (SSL port 443) whenever YouTube is accessed. I wonder what data is being shared here – and why?

1 thought on “I spy on iPhone

  1. Further analysis of the network traces reveals that after making the SSL connection to http://www.google.com the device is empowered with a new ‘GoogleLogin’ authorization string which it sends in subsequent HTTP requests:

    GET /feeds/api/standardfeeds/GB/recently_featured?start-index=1&max-results=25&format=2,3&client=ytapi-apple-iphone HTTP/1.1
    Authorization: GoogleLogin auth=(long_string_deleted)
    Host: gdata.youtube.com
    User-Agent: Apple iPhone v2.1 YouTube v1.0.0.5F136

    As YouTube sends non-DRM protected content to iPhone devices, this could be the mechanism that they use to prevent non-iPhone devices from accessing the MPEG-4 content?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s