I recently noticed that iOS MDM servers have the ability to connect to phones and initiate checkins even when a device is connected to WiFi. Packet analysis showed absolutely no communication between Apple PUSH service or MDM servers with the phone. On the contrary, the transaction was always magically initiated by the iOS device. How could this happen?
As we know, iOS devices have 2 NIC's - one for WiFi and the other for 3G communication. On further analysis, I was able to observe that even though the device switched over to the WiFi network, the 3G network interface of the device was still active in the background and maintained a persisten connection to apple PUSH servers at port 5223. Hence, whenever Apple or MDM servers wanted to send a PUSH notification, the notification was sent over 3G and in response the device responds back over WiFi.
A simple netstat on the device reveals the following:
netstat -a tcp4 0 0 10.XXX.XXX.XXX.4XXXXnk11p01st-courie.5223 ESTABLISHED
I had reported a potential flaw in the Android system that could be used to perform DOS (Denial-of-Service) on an Android Phone. The issue was caused by a poor programming assumption which could have been avoided with a good programming 101 course. I had developed a tool called c-ray to help me with quick and dirty pentest and analysis of android applications and system. I stumbled on the issue while playing around with android core system and c-ray application. The issue was caused by an input validation error caused by assumption of the developer. An intent to "android.accounts.GrantCredentialsPermission" class of android core system results in system crash and reboot of the system. Further analysis and reasons below.