First analysis of the TUMe protocol

*UPDATE* more on the JSON part of the protocol.

Today Telefonica release the TUMe App. With this App you can text, talk and share for free. Telefonica launches this as Telco-OTT style.

I won’t go into details about the TUMe App itself or what this means to the telco world. But I was wondering about the protocols that are used and I will do a quick writeup of my findings.

Since I wanted to make traces of the TUMe signaling I first setup mitmproxy for intercepting HTTP traffic. This showed me that for provisioning (setting your name, receiving history, sending the address book, etc.) a JSON protocol is used which is being communicated over HTTPS.

However, calls and messages did not show up in mitmproxy which means that these are not send over HTTP (or at least do not use the system wide HTTP proxy settings in iOS).

To see all the traffic that is send by my iOS device I would have to sniff in the middle or trace on my device itself. Since I have jailbroken my device I did the latter. I installed tcpdump on my iPhone and did a trace while I was sending text messages with TUMe.

At first I started looking for the obvious, SIP or XMPP messages that are send over the default SIP and XMPP ports but I found none. Than I looked for traffic to unknown IP addresses. This was made easy since all HTTP traffic was still going via my mitmproxy. I noticed that there was traffic that was marked as HTTPS that was not send via the proxy. I found this traffic suspicious because when it would use iOS HTTP APIs it should end up being send via the HTTP proxy.

Analysis of this data stream showed a TLS connection is being setup. Because of the TLS encryption the protocol itself is not revealed but the TLS setup shows that a server certificate belonging to is being used.

Wireshark shows the Jajah certificate

Jajah is a Telefonica owned company that offers a range of products. Some are SIP based, others not. So from this trace it is clear if TUMe is a SIP or RCSe client. Although suggesting it triggers a reaction that it might very well be SIP… The TCP port being used is, however, not a SIP port but port 443 (HTTPS).

So what is the conclusion? To me (pun intended) it is not clear what protocol is being used for signaling, although the reaction on Twitters seems to acknowledge that it is SIP over TLS on port 443 (HTTPS). Some stuff is being done out-of-band via a proprietary JSON over HTTPS protocol. To me this sounds like TUMe is not a RCSe client but a proprietary client. This is fine since TUMe is OTT anyway so there is no need to federate with anyone.

This entry was posted in telecommunications and tagged , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s