Gave a bribe? Catch the top ten. Bribr Analysis for iPhone

    Bribr is an independent project to collect statistics on bribes in Russia from citizens. Users themselves indicate the size of the bribe by clicking on the "I gave a bribe" button and filling out the form. According to the main page of the application, from September 24, 2012 users gave bribes of 1,429,550 rubles. These actions to give a bribe are regulated by Article 291 of the Criminal Code of the Russian Federation and are punished seriously (up to 12 years in prison). The service guarantees the anonymity of the submission of information. But is it really so?


    After reading the article “Gave a bribe - check in” on the main page of the Big City website, I wondered how truly anonymous the flow of information was.

    What needs to be done to anonymously confess to giving a bribe?

    • Install the free app from the Appstore
    • Click "I gave a bribe" with an exclamation mark
    • Fill in the form “How much, to whom, for what, on the map”. On this screen there is an inscription that “all information is completely anonymous”
    • Click the “Submit” button.


    These four simple steps can lead you to jail.

    What you need to check:
    Macbook, Charles proxy application for Mac, iPad and iPhone, Bribr application

    1. In Charles
    Proxy-> Proxy Settings

    image

    We enable SSL proxying and specify the address of the api.bribr.org service.

    image

    We find out the IP address in the terminal and specify it in proxy settings in iPad

    2. On the iPad, specify Proxy.
    image

    Launch the Bribr application.

    3. In Charles, we look at the log and what we see. When you start the application and request statistics on the number of tricks on the site api.bribr.org, an unknown identifier and device model is transmitted.

    image

    The following request parameters are of most interest:

    X-API-Key the-dark-side-of-the-moon
    X-Device-ID 4939a528a47f7237dd7b26cd9d1f3c9396f76896
    X-Device-Model iPad

    Device-ID does not match UDID, OpenUDID and ODIN-1 and is probably a closed hash by UDID, judging by the 40 numerical sequence.

    On the iPhone, the situation is the same, but Device-ID and Device-Model are different.

    image

    I invite you to further explore this anonymous API.

    Brief conclusion:
    When your device falls into the zone of interest of law enforcement agencies, sending a test bribe from your phone can be compared to what you sent earlier. Here is such anonymity. There is no anonymity.

    UPD:
    1) The first time the article was deleted by the administration after mentioning the developer company, I deleted the name of the company
    2) to research the X-Device-ID, here is the UDID of my iPad 3fd35bfd60011429307e4fca1ee52d9c68735617

    Also popular now: