Yesterday I did a writeup of my first impressions on the TUMe protocol. Today I want to give some more details about the JSON over HTTPS part of the protocol. TUMe definitively uses SIP for signaling.

The JSON protocol is used for the provisioning of the service. For both initial setup as for removal of the service. The protocol is also used for authorizing the application on every startup.

When registering for the TUMe a JSON message is to register your phone number together with your locale. After this some setup is send to setup Apple’s push message service for TUMe. In the meanwhile you will receive a PIN code from TUMe via SMS.

The PIN code and your phone number are then send in a subsequent JSON message meant to validate your phone number. The server replies with a configuration message for the app. The message contains a SIP (over TLS) configuration and some information for authentication. You can see this message below:

The TUMe configuration message containing authentication and service (SIP) information.

After this TUMe is ready to rock.

When still in the progress of setting up the service for the first time, the app will send personal information via JSON. Your MSISDN (phone number), screen  name and user id (from the config message) are sent first. After that, when you choose to, your contacts are send to the server.

Every time the application is started it will first authorizes itself via a JSON message. It sends a HTTP request with a basic authentication string and receives an access token in return. I suspect this token is used to setup the TLS connection that is used for SIP signaling.

The app also requests a history from the JSON server but for me this message is always empty. I’m not sure what this message is for.

Canceling the account also goes via JSON, a HTTP DELETE request is send to the server to trigger the account removal.

This concludes the analysis of the JSON RPC protocol.