Thread: Decrypting iPhone/Yahoo IMAP Traffic
View Single Post
  #6 (permalink)  
Old 07-08-2007, 08:36 AM
Lixivial
Status: Offline
Junior Member
  
Join Date: Jul 2007
Posts: 2
Rep Power: 0
Lixivial is on a distinguished road
Default
Haven't been looking at these forums for awhile, until iphonejoe notified me of updating the thread. Yeah, here's the proof that the Yahoo IMAP server is not using traditional IDLE at all. This should have been obvious in the output of the CAPABILITY string, but I completely overlooked it as I was running under the assumption that it was using it. I didn't even test the IDLE command last time.

Code:
MacBook:~ Jesse$ telnet imap.apple.mail.yahoo.com 143
Trying 68.142.207.40...
Connected to imap.mail.yahoo.com.
Escape character is '^]'.
* OK IMAP4rev1 server ready (3.5.13)
1 AUTHENTICATE XYMPKI
+ 
{ auth-token, yah }
+ 
{ iphone device CA, yah} 
1 OK AUTHENTICATE completed
2 SELECT INBOX
* 16 EXISTS
* 0 RECENT
* OK [UNSEEN 2] Message 2 is first unseen
* OK [UIDVALIDITY 1] UIDs valid
* OK [UIDNEXT 22] Predicted next UID
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft)] Permanent flags
2 OK [READ-WRITE] SELECT  completed; now in selected state
3 CLOSE
3 OK CLOSE completed, now in authenticated state
4 IDLE
4 BAD Unknown command
5 LOGOUT
* BYE IMAP4rev1 Server logging out
5 OK LOGOUT completed
iphonejoe's findings of cellular notification really fall in line with the reasoning that the phone is sending out its IMEI number in a request to a yahoo API server. It also is probably the reason push email doesn't work for those who've activated their phone without AT&T.

The standard IMAP client in Mail.app (Mac OS X or the iPhone) does not support IMAP-IDLE, as evidenced by fastmail.fm -- its imap server *does* support IDLE, but the phone doesn't get emails pushed to it.

I also can tell where the auth-token is coming from and who's generating it. It looks as though iPhone's Mail.app is making a call out to https://mobile-us.login.yahoo8.akadns.net/, which probably generates the token off username/password or some such. I'm still investigating, but being that this is SSL traffic, I don't yet know exactly what's being sent to mobile-us.login.yahoo8.akadns.net but I'm looking into it.
Last edited by Lixivial; 07-08-2007 at 08:42 AM.
Reply With Quote