Tuesday, 25 June 2013

Tour Trackers - Exactly who's being tracked?

Tour Trackers - The 'companion' app for your iDevice or 'Droid while watching the tour and eating one too many TimTams at 2am. Here in Australia we have two contenders for effectively the same app. Both SBS Cycling Central and CyclingNews publish their own branded versions of the 'The Tour Tracker'. The question I have is.... who is being tracked?

Armed with an iPhone, tcpdump, WireShark, and a coffee here are the results of my quick 10 minute investigation.

Cycling News' Tour Tracker 
(Software v1.02)
  • Full Terms and Services (of Tour Tracker, LLC) provided.
  • Submits a 'launch' query to servers in the US with what appears to be a an ID attached to the app publisher...
  • No video :(
  • Also doesn't appear to call home to CyclingNews.


SBS Cycling Central 'Skoda Tour Tracker'
(Software v3.0)
  • Can't locate any Terms and Services. (Not ideal!)
  • Submits a 'launch' query to servers in the US with an app publisher ID... (as above)
  • Has Live Video! (Geo-IP locked to Australia no doubt.... still, has video!)

The kicker - This little bugger calls home to SBS every time it is launched. With a unique ID tied to your device. (This isn't your phone UDID, and changes on reboot.... maybe a developer could shed more light on this?)

GET /api/video_track/e?context=ios&event=appstart&device=iphone&uniqueid=5D45D7A0-59FF-44A4-A66E-AE2149FE02D9&form=json&vertical=tourtracker HTTP/1.1
Host: www.sbs.com.au
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: Tour%20Tracker/8 CFNetwork/609.1.4 Darwin/13.0.0
Accept-Language: en-us
Accept: */*

Every time the SBS version of the app starts, Mike Tomalaris and Anthony Tan are giving themselves virtual cloud-based high-fives.... and I'm disgusted! :)

Your SBS "Tour Tracker" may not be riding your daughter's pony, but it is tracking you back. 

Go with the CyclingNews one if you don't need video. This isn't to say they're not tracking you either....

I can hear the echoes of Phil Liggett now - "We're sorry for a bit of user privacy break up.... We'll attempt to reassure you that your online rights have not been violated right after these messages."

1 comment:

Nick said...

I'm pretty sure that unique id is a fairly ineffective anti-piracy measure.

Typically the ID will be served to the client inside a separate FLV or JSON file, which makes it slightly more complicated to use the stream outside the app