Bojan Gajic of Flux Ads sent me an interesting email, and gave me permission to share this here.
His UDID was among those in the “FBI leak” the other day, and he observed Glitter Draw Free, an app he had installed, sending the associated push notification (APNS) token to a third-party service that could have been a source of the leaked data.
The publisher apparently uses their own back end for APNS as opposed to using Urban Airship or Xtify. The app posts UDID, push token and few other basic details to apns.spankapps.com on launch. Glitter Draw alone cannot have 12 million users, but its publisher has another 76 novelty apps (some were ranked high in the App Store in the past, like Finger Drums and Love Finger Scan), and there could easily be 12 million users between all those apps.
I’m guessing the database at spankapps.com was compromised and the dump came from there.
With this, the FBI denial,1 Apple’s denial, AllClearID’s denial, my previous theory, and this hacker tweet, it’s looking more and more like the FBI wasn’t involved at all.
It’s more likely that this was just a file on somebody’s laptop, and not an FBI file on an FBI-issued laptop. (The file-acquisition story might not be entirely true, either.)
Bojan’s theory about a compromised push-notification database is far more plausible, and is a much better fit to the actual data.2
Update: As many have pointed out (thank you), APNS tokens are, or were until recently, all the same on a device regardless of which app generated them. So we can’t know whether the Spankapps service specifically was the source of the leaked data, but I think this is the most likely sort of explanation rather than the FBI-laptop story.
Granted, you can’t trust any statements from any police organization in the U.S., but it’s something. ↩
For instance, I can’t figure out how and why the FBI would have collected APNS tokens. What are they going to do, steal the SpankApps SSL certificates somehow and send a fake push notification from Glitter Draw Free to a terrorist’s phone? ↩