Yesterday evening the twitter account SwiftOnSecurity
began raising concerns that the I Sea App might be a fake.
The app claims to assign users random slices of the ocean to review and
flag possible refugee boats that might need rescue.
The app had been getting a lot of international news attention, but
something struck her as off and she asked for confirmation.
Not having anything better to do, I thought I might look into it.
I wired my phone up to Fiddler and installed the app
to see what sort of network requests it made to operate. I hoped this would
show me if it really did download satellite imagery from somewhere.
The image was at least processed (if not completely created) by Photoshop.
All of this strongly points towards the app not being wired up to a real
satellite image system.
Google Maps Integration
As you scroll around, the app fires off multiple requests to a Google maps
API. The need for this is unknown, as Google maps could only return imagery
from months or even years ago.
I suspect there was a drop-in maps widget the developers used so they wouldn’t
have to implement any logic to translate scrolling and zooming to a bounded
rectangle of latitude and longitude.
Submitting a Report
To submit a report, I had to give my first and last name, my email address
and my “Passport”. Nothing was explained about what this “passport” field represented:
a passport number? A country from which I have a passport? It seems like a
very unusual, and highly personal piece of information to collect.
Luckily the lack of validations accepted "eh" and I was able to submit
a test report
HTTP/1.1200 OK Date: Mon,20 Jun 201601:13:23 GMT Server: Apache/2.2.15 (CentOS) Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT Access-Control-Allow-Origin: * Content-Length:94 Connection: close Content-Type: text/html; charset=UTF-8
HTTP/1.1200 OK Date: Mon,20 Jun 201601:13:24 GMT Server: Apache/2.2.15 (CentOS) Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT Access-Control-Allow-Origin: * Content-Length:126 Connection: close Content-Type: text/html; charset=UTF-8
The submission did include the latitude and longitude of the area
in which I clicked, along with a text encoded “screenshot”. The screenshot
is encoded in a format I’m not familiar with and haven’t yet decoded.
The first few lines of it look like this:
Screenshot Encoding (replaced escaped "\r\n" with real newlines)
If anyone recognizes this encoding (its not base64) please let me know and
I’ll see about decoding the whole string.
Update: It is base64 after-all, but the JSON encoding did some escaping. I deleted
\r\n characters and turned \/ into literal / and was then able
to base64 decode the string into a png file. HT: @joe_h_punk
Email
Finally, the mailinator account I used to sign up received an email
Dear John
Thank you for helping us test out this application. We will not be able to give individual details to you due to the high volume of responses but we will be informing our users of the effects their efforts have had after the testing period is over. Your efforts will help transform ours.
Thanks,
I SEA Team
It’s interesting that they are calling it a test. I didn’t read all the
news coverage, but I’m not aware of any indicating it was anything other
than a real app.
Conclusions
None of the technical discovery really points to a motivation and I don’t
care to speculate on that front.
From the app level, all the infrastructure they would need to actually
work is there: the API could point different users to different images, and
it does appear to accept all the data you might expect for a given report.
It just seems its not actually hooked up to anything, and in fact, would
likely be prohibitively expensive to do so.