Friday, December 17, 2010

EA Research Drives WSJ's "What They Know" Smartphone Investigation

We're pleased to announce that the Wall Street Journal has published the latest in their "What They Know" series.  This installment prominently displays the research of EA consultants.

Please have a look at the WSJ's description of our methodology before digging into the feature on  They have created some fantastic visualizations of the data leakage which are available on

EA would like to thank to Mike, Jeremy and Raj at Intrepidus Group.  Their open source Mallory proxy was critical to the success of this project.

We'd also like to thank Dan Cornell at Denim Group for his open source SmartFonesDumbApps toolset.

Update: Slashdotted

Update: Apple, App Makers Sued Over User Tracking


  1. Great work. The article was fascinating. How were you able to use Mallory to do a MITM on SSL encrypted traffic? I assume the apps are not using digital certificates to ensure the identity of the remote servers, thereby allowing you to MITM their traffic? If they were to rely on public rooted certificates (eg. from VeriSign), then you would not be able to do a MITM on the SSL traffic.

  2. Unfortunately the WSJ has asked us to refrain from posting details of our methodology but you can rest assured that we were indeed able to perform MITM on SSL traffic.