An Android Afternoon


What can you do with an XO-1 an old Netgear WG614v7 and a few other spare parts?

Why, you can set up a pass throught tap to see how leaky your Android based phone is. The set up for this is complicated by the fact that Android will not connect to AdHoc wifi points. Thus the need for the Netgrar router (well any router will do I just happened to have a spare Netgear one floating around).

So first, configure the router. I left the wireless open to make life easy. I set the WAN side IP to 192.168.254.101 with a netmask of 255.255.255.0. I configured the LAN side to 10.0.0.1/24 (255.255.255.0). and the DHCP server in the router to server addresses in the 10.0.0.2+/24 range.

Now, on to the XO. I have a heavily modified version of DebXO 6 that I use for most of my XO hacking. I used WICD to connect to my home wireless LAN. I then killed the wicd daemon so it wouldn't mess with any further settings. I then plugged in my USB2Ethernet dongle (which gives me eth0 on my XO) and then use the script below to configure ipforwarding from wlan0 to eth0 and the set eth0 to 192.168.254.100.

#!/bin/bash
#
#script to set up Internet Sharing

GATEWAY_IF=wlan0
if !( /sbin/lsmod | grep 'ip_tables' ) && ( /sbin/modprobe -l ip_tables ); then
    /sbin/modprobe ip_tables
    echo "ip_tables is now loaded"
else
    echo "ip_tables already loaded"
fi
if ( grep '0' /proc/sys/net/ipv4/ip_forward ); then
    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "IP forwarding is now enabled"
else
    echo "IP forwarding already enabled"
fi
if !( /sbin/iptables -L -t nat -v | grep $GATEWAY_IF ); then
    /sbin/iptables -t nat -A POSTROUTING -o $GATEWAY_IF -j MASQUERADE
    echo "Routing is now enabled"
else
    echo "Routing already setup on "$GATEWAY_IF
fi
echo "Setting IP..."
/sbin/ifconfig eth0 192.168.254.100


Now we are all set to go. I fire up wireshark and set it to listen on eth0. Then I connect my LG p500h (Optimus One) to the net gear router, and volia I can sniff every packet that comes out of the device. All those android apps with no place to hide. Oh what fun.

The first thing I noted was that the phone connects to google and pulls a security certificate. (nb: this was done before I "Got the Google Out" of my phone) (it seems to do this to check the internet connection). if this is successful it changes the wireless meters from white to green.

The first thing I did was wait.. and not much happened. Good.. Great even..

Then I started launching a few things and one of the first things that happened is that the Getjar Client woke up and started PHONING HOME WITH INFO ON EVERY APP I RAN!!! At first I thought it might be just the apps that come from Getjar and considering some of the cool deals they offer on apps I was thinking this might be an o.k. trade off. After all if you're going to scrounge up really good deals on apps some metrics on which of the deals are really popular would be an understanddable thing to want.
 

GET /backchannel/usage/?gjClientInstallationID=msxNfyjSW5mDH4Cmglht1A%3D%3D&androidID=UpFBGF16nBvbzJvsLdG8qxuyV9sS6pih%2BMtJrOoaBac%3D&gjClientVerCode=3301&src=gjca&gjClientVerName=3.3.01&eventType=OPEN&usageTime=1323360385741&launchCount=3&packageName=com.sancronringtones.catsb&versionCode=8&versionName=1.0.8 HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.3; en-ca; LG-P500h Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Host: eventlogger.getjar.com
Connection: Keep-Alive
 
HTTP/1.1 200 OK
Content-Length: 2
Server: Jetty(7.x.y-SNAPSHOT)



However to my dismay it turned out that EVERY APP I launched was reported.

GET /backchannel/usage/?gjClientInstallationID=msxNfyjSW5mDH4Cmglht1A%3D%3D&androidID=UpFBGF16nBvbzJvsLdG8qxuyV9sS6pih%2BMtJrOoaBac%3D&gjClientVerCode=3301&src=gjca&gjClientVerName=3.3.01&eventType=OPEN&usageTime=1323360385774&launchCount=8&packageName=org.zirco&versionCode=15&versionName=0.4.1 HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.3; en-ca; LG-P500h Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Host: eventlogger.getjar.com
Connection: Keep-Alive
 
HTTP/1.1 200 OK
Content-Length: 2
Server: Jetty(7.x.y-SNAPSHOT)
 
OK

This of course quickly explained to me why Getjar always ran (something I've been leary of from the start). Needless to say Getjar is no longer on my device. They my consider it "non-PII" (Personally Identifiable Information). But I consider it non of their damn business.

This also whetted my apitite.. O.K. lets see what else we can find. Happily, the only other app that seemed to behave badly was Fruit Ninja and I must clearly state that it wasn't so much the app as it's "openfeint" component that was either having large encrypted conversationswith a distant server or stuck in some bad loop. I suspect the latter as I had to poke the app a strange amount to get it past the initial blank screen and running. Even once it was running Openfeint continued to thrash the network with encrypted packets. (I really do suspect that something had gone badly wrong for poor Openfeint.) This had a sever adverse effect on the preformance of the game. So, it too is gone.

Now that I have this rig I plan to do lots of testing. There are two other android devices that I currenly have access to and many many apps to try. I will be sure to post more as results come in. I also welcome suggestions on apps that should be tested.

The relevant parts of the packet captures are here for those that would lik eto see the raw packets.

Other things I tried that proved to be o.k.


Despite app makers always claiming that there is no reason to kill apps sitting in memory I clearly saw a reason... to clean up a large amount of open http conections. When I killed all running apps there was a swath of FIN/ACK packets as open connections were shut down.

I look forward to many more hours of sniffing Android apps for leaks or other bad behaviour.
\
note:

For those that are not aware of it the pulling of ads by apps does leak info back to the company supplting the ad. The normal http GET request includes many bits of information that people wanting to track you will find useful such as the device and version of the operating system.

Edit:

I have done some sniffing of my phone now that Google is gone. It was rather boring actually. especially when I had the firewall (Droidwall) turned on.. So I'll probably not do a post about that. It'd just be a lot of "nothing to see here..."


Home
Blog
Contact

Creative Commons License
This site by Freemor is licensed under a Creative Commons Attribution-ShareAlike 2.5 Canada License.
Permissions beyond the scope of this license may be available at http://freemor.ca/Contact.htm.