The Charlatan’s iPhone Tor App

Originally published by InterN0T

On August 10, year 2015, Simon Smith from 1IQ aka eVestigator aka RPL Central aka Official Intelligence aka <insert new company name soon>, released a modified commercial version of Mike Tigas’ iPhone Tor app. More specifically the developer from 1IQ, used version 1.5.12 of Mike Tigas’s open source application and sold it on the Apple Store.

For almost two years, it was dubbed as the “#1 Onion Routing Browser” by the developer (1IQ). The developer also stated in the product description that “not even he could hack it” and “I have put people behind bars just from tracing an IP before”, and even that it was an “enhanced version” of the original Tor app.

The modified version included “license checks” that effectively could be used to track users of the application, as a HTTP request would be sent to the developer’s web server every time the application was started. Other functionality within the application appears to have allowed users of the application to save bookmarks on the developer’s website, without informing the users of the application, that these bookmarks would be stored remotely, and also sent insecurely over HTTP every time they would be saved, or requested. This particular feature (i.e. bookmarks saved on the developer’s website) could not be analyzed in depth, as the developer had unfortunately removed the Orion Browser website, while still selling it on the Apple Store. 

Over the next year or so until 02 May, 2016, the application was updated by the 1IQ developer several times (up to version 7.9), but it never received security updates for the embedded Tor client, or the OpenSSL library. This essentially made the app “enhanced” by 1IQ, become more and more insecure as time progressed.


The application was available for anyone to buy until 07 July, 2017, almost two years later, until it was randomly pulled by the developer. Another interesting fact, is that the application used be called Torion, and even featured a completely different logo, which was changed at some point either during development, or in one of the updates.

Mike Tigas, the original developer was already notifying users of various risks that could be used to unmask users of his iPhone Tor app, such as HTML5 video tags leaking DNS requests. These issues were also present in the modified version from 1IQ. However, the developer from 1IQ claimed that their version had no security at all and was the “safest anonymous browser on the planet”. 

The modified version also included various hardcoded HTTP links to the new developer’s website, which only made the app even more insecure, some of these links can be found below:

__cstring:001B912A 00000033 C <a href="http://www.orionbrowser.com/secure/ip34r.asp?guid=">http://www.orionbrowser.com/secure/ip34r.asp?guid=</a> <br>
__cstring:001B9443 00000028 C <a href="http://www.orionbrowser.com/secure/?tk=">http://www.orionbrowser.com/secure/?tk=</a> <br>
__cstring:001B94C5 0000003F C window.location.href='<a href="http://orionbrowser.com/secure/top.asp">http://orionbrowser.com/secure/top.asp</a>'; &nbsp;&nbsp;<br>
__cstring:001B9504 00000042 C window.location.href='<a href="http://orionbrowser.com/secure/bottom.asp">http://orionbrowser.com/secure/bottom.asp</a>';<br>
__cstring:001B9546 00000040 C window.location.href='<a href="http://orionbrowser.com/secure/menu.asp">http://orionbrowser.com/secure/menu.asp</a>'; &nbsp;<br>
__cstring:001B971D 00000037 C <a href="http://www.orionbrowser.com/secure/bookmark.asp?title=">http://www.orionbrowser.com/secure/bookmark.asp?title=</a> <br>
__cstring:001B9980 00000026 C <a href="http://www.orionbrowser.com/help.html">http://www.orionbrowser.com/help.html</a> <br>
__cstring:001BBA84 0000001D C <a href="http://www.orionbrowser.com/">http://www.orionbrowser.com/</a> <br>
__cstring:001BBB27 00000027 C <a href="http://www.orionbrowser.com/opensource">http://www.orionbrowser.com/opensource</a>


After InterN0T had completed its analysis of this insecure iPhone Tor app, the vendor was sent an advisory.


To better understand the correspondence between InterN0T and the vendor, the emails back and forth have been attached below:


As seen in the responses from the vendor, it is evident that the vendor tried to “social engineer” InterN0T into providing Personally Identifiable Information (PII), so that the vendor could harass InterN0T’s representatives in real life as well. In case you, the reader, wonders if the vendor does such as thing; yes the vendor has done that several times over the last couple of months against several people.


InterN0T predicts that this article will be available for roughly 36 hours, before the vendor manages to scare Steemit into submission and censor or delete this article. The reader might wonder why? Well, that’s because the vendor believes anything negative in any form needs to be forcefully taken down through abuse complaints, DMCAs, legal threats in general, harassment, etc. 

For example, the vendor recently threatened The Register for writing an article about our previous advisories. Sure, the article was a bit off technically speaking and we did contact them to fix it, but the point of this is, the vendor will literally harass anyone to an extreme extent, that do not agree with him. 


References: