iPhone's Persistent Connection to Apple

I recently noticed that iOS MDM servers have the ability to connect to phones and initiate checkins even when a device is connected to WiFi. Packet analysis showed absolutely no communication between Apple PUSH service or MDM servers with the phone. On the contrary, the transaction was always magically initiated by the iOS device. How could this happen?

As we know, iOS devices have 2 NIC's - one for WiFi and the other for 3G communication. On further analysis, I was able to observe that even though the device switched over to the WiFi network, the 3G network interface of the device was still active in the background and maintained a persisten connection to apple PUSH servers at port 5223. Hence, whenever Apple or MDM servers wanted to send a PUSH notification, the notification was sent over 3G and in response the device responds back over WiFi.

A simple netstat on the device reveals the following:


    netstat -a
    tcp4 0 0 10.XXX.XXX.XXX.4XXXX nk11p01st-courie.5223
    ESTABLISHED

    The 3G/Edge network interface on iOS is called pdp_ip0
Further analysis of tcpdump on interface pdp_ip0 confirmed the same and reveal communication between PUSH servers and iOS device even when the device had switched over to WiFi.

Comments

  1. How do you fix this problem. I still have this after having a droid and now an iPhone?

    nk11p01st-courie.5223
    constant connections to port 5223 with a host that has no history.
    tcp4 0 0 192.168.1.102.50227 dfw06s17-in-f1.1.http ESTABLISHED
    tcp4 0 0 192.168.1.102.50226 dfw06s17-in-f1.1.http ESTABLISHED
    tcp4 0 0 192.168.1.102.50225 dfw06s17-in-f1.1.http ESTABLISHED
    tcp4 0 0 192.168.1.102.50223 pd-in-f120.1e100.http ESTABLISHED
    tcp46 0 0 *.50103 *.* LISTEN
    tcp4 0 0 *.50103 *.* LISTEN
    tcp4 0 0 192.168.1.102.49168 17.158.8.26.imaps ESTABLISHED
    tcp4 0 0 192.168.1.102.49166 17.158.8.26.imaps ESTABLISHED
    tcp4 0 0 192.168.1.102.49165 17.158.8.26.imaps ESTABLISHED
    tcp4 0 0 192.168.1.102.49164 17.158.8.92.imaps ESTABLISHED
    tcp4 0 0 *.3325 *.* LISTEN
    tcp4 0 0 192.168.1.102.49161 nk11p01st-courie.5223 ESTABLISHED
    tcp4 0 0 localhost.ipp *.* LISTEN
    tcp6 0 0 localhost.ipp *.* LISTEN
    udp6 0 0 localhost.ipsec-ms *.*
    udp6 0 0 localhost.isakmp *.

    ReplyDelete

Post a Comment

Popular posts from this blog

Problems with Equifax Breach Disclosure

Potential DoS Vulnerability with Android System

Why does my Android App READ SMS?