1

Today I was analyzing User-Agents in WebViews on different iOS apps, like Facebook and Twitter.

That's when you click a link in a post/tweet and it opens the in-app browser (still using the iOS browser engine).

I retrieved the User-Agent by writing a small PHP script that I put online:

echo "PHP HTTP_USER_AGENT: " . $_SERVER['HTTP_USER_AGENT'] . PHP_EOL;

And then you just create a new facebook post with that URL, i.e. http://mywebserver.com/get-my-ua.php - and open it in the in-app browser.

To my surprise, one particular User-Agent looked very interesting: from the Facebook app:

Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 [FBAN/FBIOS;FBAV/133.0.0.11.22;FBBV/65438308;FBDV/iPhone8,4;FBMD/iPhone;FBSN/iOS;FBSV/10.3.3;FBSS/2;FBCR/Telekom.de;FBID/phone;FBLC/de_DE;FBOP/5;FBRV/0]

The beginning looks as usual, but the attachment is very interesting:

  1. There is some kind of private IP included: 133.0.0.11.22 (I have censored the last 2 parts)
  2. it knows the mobile carrier name! Telekom.de

I run the same thing on an iPad, which actually does not have a SIM card installed right now and runs on WiFi only, but for testing I had installed a SIM card months ago. The mobile carrier profile is still visible in Settings - General - About - Carrier - it remains there even after reboots.

I couldn't find any information on the web about it. The private IP seems boring (it's also the same on the iPad), but how on earth does Facebook get the mobile carrier name? I'd be surprised that's allowed in iOS apps, Apple seems to be very strict on leaking such data. Safari's User-Agent does not have such an attachment of course.

I'm pretty sure Facebook did not just use some geoip-location service like maxmind to look-up the IP and its ASN. Because 1) maxmind shows Deutsche Telekom AG for that mobile IP and 2) it will still show Telekom.de even when I use a WiFi which is not running Telekom at all.

You can switch WiFi on and off, disable mobile data, it will always show the same User-Agent. I think that's because the mobile carrier profile is still installed. But how does it get this information?

Here is the User-Agent from Twitter's in-app browser: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/602.3.12 (KHTML, like Gecko) Mobile/14G60 Twitter for iPhone

Both the iPhone and the iPad have the latest apps installed, aswell as the latest iOS 10.3.3.

Eugen
  • 537
  • 6
  • 14
  • Many services can provide it by your mobile number. I'm pretty sure they can do the same with the IP address. Talking about FB, they are completely integrated to Apple products now, so I'm also pretty sure they can have information we don't – GIJOW Jul 27 '17 at 20:29
  • `they are completely integrated to Apple products now` > social media account integration was removed in iOS 11. @Eugen: Might have some luck with this post (test all the asnwers): https://stackoverflow.com/a/3948086/2124535. And also, any chance you can test your device in iOS 11 ? – nathan Jul 27 '17 at 20:35
  • As I said in the question, its not resolved from my "phone number" (I don't have a german phone number added to my facebook) - and the iPad doesn't even have a SIM card installed. – Eugen Jul 27 '17 at 20:36
  • 133.0.x.x is not a private IP address. It is a public range – Paulw11 Jul 27 '17 at 20:49
  • It's not even an IP actually, but internal version number of different components: https://stackoverflow.com/a/30984142/2124535. Guesstimation about all the internal property names: https://www.webmasterworld.com/search_engine_spiders/4729148.htm – nathan Jul 27 '17 at 20:53
  • If you look up an IP address in geolocation database such as IP2Location, you can get the MNC MCC information easily. You can try http://www.ip2location.com/demo – Michael C. Jul 31 '17 at 23:46
  • @michael please re-read my question. its not done via IP geolocation (i.e. maxmind) as written in my question. the iPad was running without a SIM card, only on WiFi, and was still showing the mobile carrier name. see the answer and the comments. the mobile profile persists even after SIM card removal and reboot – Eugen Aug 01 '17 at 16:51
  • @Eugen What is your ISP behind WiFi? Is it the same Deutsche Telekom? – Michael C. Aug 02 '17 at 06:28
  • @Michael excuse me to point you again to my question, which tells that the WiFi is NOT running on Deutsche Telekom (O2/Telefonica, entirely different company). – Eugen Aug 02 '17 at 09:05

1 Answers1

1

The mobile carrier is available in the SIM info that iOS provides. Here's what I have:

#import <CoreTelephony/CTTelephonyNetworkInfo.h>

@property (nonatomic, strong) CTTelephonyNetworkInfo* networkInfo;

- (void)setup
{
    self.networkInfo = [[CTTelephonyNetworkInfo alloc] init];
}

- (NSString*)simCarrierName
{
    return [networkInfo subscriberCellularProvider].carrierName;    
}

- (NSString*)simIsoCountryCode
{
    if ([[networkInfo subscriberCellularProvider].isoCountryCode length] == 2)
    {
        return [[networkInfo subscriberCellularProvider].isoCountryCode uppercaseString];
    }
    else
    {
        return nil;
    }
}

- (NSString*)simMobileCountryCode
{
    if ([[networkInfo subscriberCellularProvider].mobileCountryCode length] == 3)
    {
        return [networkInfo subscriberCellularProvider].mobileCountryCode;
    }
    else
    {
        return nil;
    }
}

- (NSString*)simMobileNetworkCode
{
    return [networkInfo subscriberCellularProvider].mobileNetworkCode;
}
meaning-matters
  • 21,929
  • 10
  • 82
  • 142
  • `iPad, which actually does not have a SIM` – nathan Jul 27 '17 at 20:47
  • When I wrote and tested this code years ago I noticed that iOS holds on to the previously installed SIM info after you remove it. I guess that you see info that matches your previously installed SIM info? – meaning-matters Jul 27 '17 at 20:54
  • I think so, that's what other users reported on the linked question above. – nathan Jul 27 '17 at 21:15
  • thanks alot, that solves the mystery. and yes, as explained in my question, the SIM card info in `Settings - General - About - Carrier` remains even when you remove the entire SIM card from the device and reboot (mine has been removed since weeks/months) – Eugen Jul 28 '17 at 12:42
  • @Eugen Yeah, I remember doing reboots that did not wipe the info either. Glad you resolved your issues. – meaning-matters Jul 28 '17 at 12:45