Sunday, November 20, 2011

Siri encryption broken down , Android port still not likely


Developers at iPhone development house Applidium have done a thorough investigation into the security encryption behind Siri and have worked out a way to get it running on non – iPhone devices as well ! Now before you jump to conclusions, it is important to note that a valid iPhone 4S identification string is needed to authenticate which might work out for a few test situations but would likely result in a ban if thousands of requests were sent.


TechCrunch provides a brief breakdown of the entire process :
  • By connecting Siri to a local router and then dumping data as it came through, they realized that Siri was sending all of its data to a server that we’ll refer to as “Guzzoni”.
  • All trafic sent to Guzzoni was sent through the HTTPS protocol. With the “S” in HTTPS standing for “Secure”, this traffic wasn’t subject to simple packet sniffing. So they had a new idea: make a fake Guzzoni server, and see what came through on the other end.
  • After a good bit of ridiculously clever SSL certificate trickery, they got Siri sending commands to their fake server. With each command comes the “X-Ace-Host” string, which appears to be unique to each iPhone 4S.
  • After figuring out how Apple was compressing (read: not encrypting) the data, Applidium was able to decompress it and parse out a rough sketch of exactly what was being sent (including which audio codec Apple was using), and what Siri expected in return.
Applidium has provided tools to enable developers to make apps around Siri. A test app which runs a text to speech script via a laptop has already run successfully but we wouldn’t hold our breath for an Android app anytime soon. The only work around this problem would be to have an immense pool of iPhone 4S identification strings which is unlikely to be spoofed.

No comments:

Post a Comment