iMessage Privacy



苹果是这样申明的: “ There are certain categories of information which we do not provide to law enforcement or any other group because we choose not to retain it. For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them.Apple cannot decrypt that data.”

事实并不是这么简单。 所有与苹果服务器的通信都是通过SSL的,然而,通过MITM可以拦截数据,这说明没有进行SSL Pinning(通过SSL Pining提供iOS SSL通信的安全),更让人惊讶的是,竟然发送明文密码。


 POST /WebObjects/VCProfileService.woa/wa/authenticateUser
'content-length': 223,
'accept-language': en-us,
'accept-encoding': gzip,
'content-encoding': gzip,
'accept': */*,
'user-agent': [Mac OS X,10.8.3,12D78,Macmini4,1],
'connection': keep-alive,
'x-protocol-version': 7,
'content-type': application/x-apple-plist,
'x-ds-client-id': t:3A5DC02C47249FC50EF0FF1B8CF3073C9EBD0668


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

更详细的分析,参见:iMessage Privacy

Ted /
Published under (CC) BY-NC-SA in categories ios  tagged with security 

comments powered by Disqus