OUYA is watching you

I got an OUYA game console for birthday and have been playing around a bit. Part of the playing has been dissecting OUYA's network transmission behavior, and I indeed did find some interesting bits.

All actions described here were made on an OUYA with firmware OUYA-1.0.459-r1.

Proxy setup

All traffic from the OUYA to the ouya.tv servers is running through SSL-secured HTTP connections (HTTPS) - except the are-the-network-settings-correct status check. Analysing the HTTP traffic thus is not as easy as firing up Wireshark, since the encrypted traffic can't be decrypted without the server's SSL certificate.

Solution to this problem was mitmproxy , which is able to intercept SSL connections and auto-generate correct SSL certificates on the fly. Note that I had to use mitmproxy version 0.9.2; the Debian-default 0.8 did not work and only produced errors on the OUYA:

java.net.SSL.PeerUnverifiedException: No peer certificate

I used the FilePwn app from the OUYA app store to copy the certificate from the USB stick to the /sdcard/Downloads/ directory on the OUYA, and then the Advanced settings to install it as described in the mitmproxy Android setup documentation .

Then I setup the transparent proxying iptables rules , configured dnsmasq to send out my laptop's IP as gateway/router address in the DHCP assignments and was done. I clicked around in the OUYA menu and could inspect the HTTP requests and responses in the mitmproxy window.

Services used by OUYA

The OUYA console talks with a bunch of services. I found:

OUYA API

Nearly all requests to the OUYA API at https://devs.ouya.tv/api/v1/ have a user-specific auth_token parameter attached, although it's not needed in most cases.

Unfortunately, the OUYA does not utilize HTTP If-Modified-Since header , so the playlist and firmware_builds file are downloaded fully repeatedly, even if they did not change. I've opened a bug report (unfortunately private) for this.

Interesting is the playlist which lists all games available in the store, together with the current version and a teaser image. It also contains the layout used to display the store screen.

App detail information can be fetched by appending the uuid value from the playlist to https://devs.ouya.tv/api/v1/apps/, e.g. com.SmithereensGames.AcidTrip . You can fetch the download URL is achieved by appending /download to the app detail URL.

During firmware update, you will see funny messages. This are the "update strings", available at update_strings.txt (german).

Information about purchases are separately encrypted. I haven't yet tried to decrypt the messages, but if the OUYA developers used asymmetric encryption, this should be fairly safe - so you won't be able to trick the OUYA into thinking that you actually bought a game when you haven't (although replay attacks may work if the encrypted data don't include user-specific data, but the OUYA devs probably thought about that, too).

Tracking

Up to now, everything was fun. But unfortunately, the OUYA has the disturbing behavior of logging everything and sending this information Google analytics, devs.ouya.tv or both. Whatever you do in the OUYA menu is logged, be it the store, the settings or the installed games menu.

All tracking events sent to the OUYA servers are personalized: They include your login information (authentication token obtained during login), console hardware ID and console firmware.

I do understand that the OUYA developers want to know more how the users walk around the system, but I want to have an option to disable that. This is currently not possible, so I've opened another bug report (again private) for that.

Google analytics

Some of the events that are logged onto the Google analytics servers:

OUYA events API

Some of the events that are sent to the OUYA API:

Privacy policy

Neither the terms of service (version 2013-07-01) nor the privacy policy (version 2013-08-91) make clear that by simply using the OUYA console, your behavior is logged. As far as I understood them, they only bear on the web site ouya.tv and subdomains. I've opened a bug report (unfortunately private) for this, too.

With the release of firmware 1.0.561 on 2013-10-08, OUYA modified their privacy policy. It now tells you that the OUYA console itself tracks some of your behavior (bold by me):

Information Related to Use of the Marketplace.

Our servers automatically record certain information about how a gamer uses our Marketplace (we refer to this information as “Log Data”). Log Data may include information such as a your Internet Protocol (IP) address, the Games and Apps you were viewing in the Marketplace, the aspects or features of our Marketplace you browsed and how much time you spent, search terms, the links on our Marketplace that you clicked on and other statistics.

We use this information to administer the Marketplace and we analyze (and may engage third parties to analyze) this information to improve and enhance the Marketplace by expanding our features and functionality and tailoring them to your needs and preferences.

We may use a gamer’s IP address to fight spam, fraud, malware and identity theft. We may also use the IP Address to generate aggregate, non-identifying information about how our Marketplace are used.

What I didn't find is the information that even the starting of games and moves in the configuration menu is tracked. It's probably included in "other statistics".

Updates

Update 2013-10-09

OUYA modified their privacy policy. It now tells you that the OUYA console itself tracks your behavior.

Update 2013-10-15

Behavior tracking is not anonymous! The OUYA sends your console hardware ID, firmware version and the authentication token that you got after logging in.

Written by Christian Weiske.

Comments? Please send an e-mail.