Tested On

After discovering that HTTP traffic from the phone is getting redirected through Nokia’s server farm as shown in previous post, the most obvious next step was to check if at least HTTPS traffic is getting its due respect and is being transferred without any intermediate host inspecting it. Due to fact that HTTPS traffic is encrypted before getting transmitted, it is not possible to look at HTTP(S) packet header in order to figure out details as was done in case of HTTP as per previous post. However there are two ways to get an idea of how traffic is flowing.

1. Check if DNS requests are sent for requested website.
2. Check certificate sent from server

DNS Request Check

The goal of this test was to find whether the phone is sending DNS query for site that is being requested to be browsed. To test this we had browsed site https://www.google.com through Nokia browser. Ideally the phone should have send DNS query requesting IP address for “www.google.com”, which would have looked normal. On the contrary when checked, the DNS request was sent for “cloud13.browser.ovi.com” which is same host where we had seen even HTTP traffic being sent as per previous post. Not just that, there was no attempt made to resolve “www.google.com”. The wireshark snapshot given below proves this fact, but there is no way from wireshark snapshot taken off wifi router it can be proved that the request was originally made for https://www.google.com and not for cloud13.browser.ovi.com.

Certificate Response Check

It is evident from above snapshot, that even https requests are also getting redirected to Nokia/Ovi servers, which raises a question about certificate that it being received from Nokia’s servers and trusted list of certificates in Nokia phone in subject. Let us first look at certificates being received from Nokia servers during this transaction. Given below is packet sniff from wifi router.

When checked trusted certificates in phone it is found that Nokia has pre-configured the phone by trusting at least one of these certificates, which is the reason why there are no security alerts being shown during this Man In The Middle (MITM) attack by Nokia. The snapshot given below shows details about each of the three certificates that are shown in packet capture.

One more thing that should be noticed here is that the DNS request was send for “cloud13.browser.ovi.com” where as certificate (middle one) says it was issued to “cloud1.browser.ovi.com”, and still there was no security warning thrown on the phone.

Conclusion

From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature. In short, be it HTTP or HTTPS site when browsed through the phone in subject, Nokia has complete information unencrypted (in clear text format) available to them for them to use or abuse. Up on checking privacy statement in Nokia’s website following can be found.

Websites accessed

The URLs of such sites which you access with the Nokia Browser are stored by Nokia. However, we will not collect any personally identifiable information in the context of providing the service. Your browsing is not associated to any personally identifiable information and we do not collect any usernames or passwords or any related information on your purchase transactions, such as your credit card number during your browsing sessions. Also, additional parameters in the URL are not stored.

For additional information on their privacy policy you may want to visit their Privacy Policy Page or Nokia Browser Privacy Policy Page

Update of 10th January,2013

Just noticed when I tried to browse a site through Nokia browser, I got a message to upgrade browser. I clicked remind later as I wanted to something. My guess is Nokia would have fixed this. But nothing can be said without actually upgrading and testing. Also seeing “Update your browser” in browser.nokia.com. Since no date/time stamp is given there it can not be confirmed if this is new or old.

Update of 11th January,2013

Just upgraded my Nokia browser, the version now is 2.3.0.0.48, and as expected there is a change in HTTPS behaviour. There is a good news and a bad news. The good news is with this browser, they are no more doing Man-In-The-Middle attack on HTTPS traffic, which was originally the issue, and the bad news is the traffic is still flowing through their servers. This time they are tunneling HTTPS traffic over HTTP connection to their server. Details are given below.

This time again we had browsed https://www.google.com, and found that again DNS requests are sent for Nokia/Ovi servers and this time it was “cloud13.xpress.nokia.com”. Up on receiving DNS reply, a HTTP tunnel is eshtablished between Mobile device and their cloud server and HTTPS traffic is tunneled over that HTTP tunnel.

The snapshot given below shows DNS query and HTTP traffic for HTTPS site.

Also HTTP header shown below confirms this info where “x-nokiabrowser-host” parameter informs Nokia server to fetch a perticular HTTPS url and later the content is passed over to mobile device. We are yet to try seeing certificate information in this as it is neither available from Phone nor from packet sniff as was possible previously. I am yet to check how is GET/POST requests to a HTTPS site is handled.

POST / HTTP/1.1
Host: cloud13.xpress.nokia.com
Content-Type: application/octet-stream
x-nokiabrowser-host: https://www.google.com
connection: Keep-Alive
accept: */*
cache-control: no-cache
x-device-id: <removed>
Content-Length: 362
Connection: Keep-Alive
User-Agent: Nokia302/5.0 (14.78) Profile/MIDP-2.1 Configuration/CLDC-1.1
x-wap-profile: "http://nds1.nds.nokia.com/uaprof/Nokia302r100.xml"

ETLV.4J....I...G..L....[OUTPUT-CUT]

I would like to Thank Nokia officials for quickly responding to the issue and getting it fixed on priority. This shows their commitment towards privacy of their mobile customers, much appriciated.

Fresh commenting/pingbacks has been disabled on this post.

Tested On

It has been noticed that internet browsing traffic, instead of directly hitting requested server, is being redirected to proxy servers. They get redirected to Nokia/Ovi proxy servers if Nokia browser is used, and to Opera proxy servers if Opera Mini browser is used. Given below is HTTP request header I noticed while browsing a simple site of checkip.dyndns.org, which reveals public ip address used by browsing device.

POST / HTTP/1.1
Host: cloud13.browser.ovi.com
Content-Type: text/plain
x-nokiabrowser-host: checkip.dyndns.org
connection: Keep-Alive
accept: */*
cache-control: no-cache
x-device-id: <removed>
Content-Length: 293
Connection: Keep-Alive
User-Agent: Nokia302/5.0 (14.78) Profile/MIDP-2.1 Configuration/CLDC-1.1
x-wap-profile: "http://nds1.nds.nokia.com/uaprof/Nokia302r100.xml"

Upon browsing a site, no attempt is made to resolve host name of site that is being browsed, but DNS request goes for resolving Nokia/Ovi’s cloud server which is shown in “Host:” part of above stated HTTP request. The site that needs to be browsed is sent to nokia server as parameter of “x-nokiabrowser-host”. Not just site browsing using their web-browser, but also some built-in applications such as mail client and twitter client (these are tested ones) seem to use same nokia browser, hence traffic for those applications as well is proxied through Nokia servers in above stated manner. Even after checking various settings, I could not see any straightforward  way to bypass this proxy setting and let my internet traffic pass through normally. This behavior is noticed regardless of whether the browsing is done through 3G or Wifi network connections. I have tested this on Wifi by sniffing at wifi router and on 3G network by browsing self owned server and looking at packet capture.

In case of Opera Mini browser, there are two browsing options available 1) http 2) socks. This has been tested in both the browsing methods and results are similar. First of all, no dns request was seen for the site being browsed, but dns request was noticed for the opera site.

Given below is http request header for browsing the same site of checkip.dyndns.org using Opera Mini browser with http option:

POST / HTTP/1.1 
Host: mini5.opera-mini.net 
Content-Type: application/xml 
accept: */* 
Content-Length: 15
Connection: Keep-Alive 
User-Agent: Nokia302/5.0 (14.78) Profile/MIDP-2.1 Configuration/CLDC-1.1 
x-wap-profile: "http://nds1.nds.nokia.com/uaprof/Nokia302r100.xml" 

...Q....l....z.

The screenshot given below shows packet flow captured by tcpdump (with host filter enabled for my mobile device) on wifi router, while browsing above mentioned site using Opera Mini browser over http.

Whereas same site, when browsed using Opera Mini browser over Socks option, looks like the screenshot given below, which is again packet capture by tcpdump (with host filter enabled for my mobile device) on my wifi router.

Again I couldn’t find a way in Opera Mini browser to bypass this behavior and let the traffic pass normally to target server, after seeing such shocking behavior, I quickly checked same things in a bit older Nokia mobile phone (C5-03), and couldn’t find any such behavior in that.  Other thing to notice is whether we use Nokia browser or Opera Mini browser, http header’s User-Agent parameter shows exactly same values.

Now such behavior in Nokia mobile phones does raise few questions and concerns.

1. What about individual’s privacy?
2. What is Nokia/Opera doing behind the scene with all these information?
3. Is Nokia selling such devices/OS only in India or even in other places?
4. Is Nokia doing this to meet any regulatory requirement?
5. And lastly, can’t this method be (mis)used to proxy even normal desktop/laptop Internet browsing through their proxy servers, to hide real source??

Fresh commenting/pingbacks has been disabled on this post.