Read previous: A Forensic Analysis of Android Network Traffic
This part of Eric Fulton’s presentation encompasses the methodology and tools applied for conducting the Android network traffic analysis.
So Scientific Method to the rescue: what I wanted to do was create a kind of reproducible project that someone else could look at, and I could do standards that would display what our applications are sharing.
So we’ve got all of the basic things there. And the question I asked was: “To what extent do participants in the cellular ecosystem (OS creators, app creators, carriers, etc.) respect user privacy?” Now, my research has only gone as far as Android, but I hope to get to Windows phones, and to BlackBerries, and to iPhones.
But right now we are going to be focusing on Android phones. So my hypothesis was, in terms of respecting privacy, what do they do? And I thought, you know, the software applications and operating systems transmit your private information. I mean, to a certain extent it’s built-in, that’s what they are supposed to do. When you log into your Facebook, you kind of have to give Facebook your username and password.
But what do they give to third parties without your knowledge? What do they give to advertising partners? And more so, what are the advertising partners that these companies blindly trust, collecting about you?
And so I thought: “I bet they are sharing the standard data: you know, usernames and passwords, and things that personally identify you”. I mean it’s a part of the application. But when you think about it, why does Google need to know your location when you are searching for something on Google? To a certain extent, that’s being done for a business purpose, it’s helpful. They need to know that I am in Las Vegas right now when I search for Petiscos restaurant. They know: “Oh, restaurant in Las Vegas”. But at the same time I have no real option of turning that off. I mean, I know Google says: “Hey, if you want you can turn off your location data, your GPS etc., we won’t collect it”.
But what we don’t realize, and what I found out later was – they kind of do, maybe not to the GPS extent, but to a different extent.
So for this experiment I built a lab. And for this lab I want to install, use apps on Android phone. I want to capture their packets, analyze these packets, and then profit, or at least give a Defcon presentation (see image).
So I built a lab, I thought to myself I’ve got this great idea, I’ve got this great hypothesis, what do I need? Well, I bought a Verizon Femtocell1, an original A855 Motorola Droid, a WRT54GL wireless router with DD-WRT2 on it, a sniffing laptop, and Internet connection. And it was like: “I am ready!”
Turns out you don’t need all that stuff to do this analysis. As I went along, I found out I could have done a lot of it in an emulator, which would have taken nothing. But it allowed be to buy some cool shit, using the office company card.
So I bought the Femtocell thinking: alright, when I am using my phone I want to collect the cellular network traffic in addition to the regular network traffic. Because, you know, if I am an app creator, I don’t want people tweaking with my stuff. And generally, I’d rather use the word ‘generally’, cellular networks are safe.
And so, if I were an app creator, I would be like: “Oh, no, no, no, I won’t send sensitive data over Wi-Fi. I’ll make sure it’s over the cellular network because it’s a lot harder to tap”. And so I thought I’m gonna buy a Femtocell, I’m gonna intercept that. And then I bought an Android phone because I believed this was cheap on eBay. And then I already had the router, and the laptop, and the Internet.
Well, it turns out, after doing a bit of research (and I didn’t dig too much into this), that app creators aren’t that shiesty yet. I needn’t register with the cell network, all I needed was just to be able to pop open my phone, turn on Wi-Fi, get to the Android Market, and start playing around, which was absolutely great.
So I created this amazing testing methodology (see image), where I would take the applications, I would purchase and install them, I would have initial usage, regular usage, and then uninstalling the application – for each of the applications. Because then I would know what traffic is going on and at exactly what point.
And then during the operating system tests, I would have first usage (when you first install it on your phone), light usage, then regular IDLE time, and then I would re-set the phone. And it seems I would cover just about every aspect of every application and OS, so that I would make sure I wouldn’t miss any shiesties that went on.
I thought to myself: you know, if I am an OS creator, every 30 minutes I would wanna know where you are at. Or if I am an application owner, I might want to know every 15 minutes who you’ve called in last 15 minutes.
So this was my amazing original testing methodology. What actually happened was I just took a massive PCAP file for each app, SSLStripped it, TCP-dumped it, and made a drinking game out of it.
And so for the apps that I tested, I thought, alright, I’m gonna do a mix. I’m gonna do Angry Birds, as I used it earlier; this really sketchy Chinese app – I don’t read Chinese, and I was like: well, that looks sketchy. It’s kind of my sketchy test. And then random applications that no one uses, I would scroll all the pages down. I got the main ones – Facebook; I got just browsing the Web on Google, and that actually happened by accident, but I found some fascinating things, so I decided to keep it in; Intelli Pilot, which is for airline pilots using log books; Mousetrap, which is a game; Pandora; Red Phone, which is an amazing application created by Moxie Marlinspike – and if you guys don’t know, it’s a little app for an Android phone, where you can have secure conversations with other people. And I thought, you know, I like Moxie but I kind of want to see if he is doing anything there – we will find out more about that later. And then Words With Friends and Zynga Poker, because I am absolutely addicted to Words With Friends, and if any of you guys play Scrabble, you’ll know.
So it’s obviously a work in progress. I have a lot of applications I’d like to test, I have a lot of different operating systems I’d like to test, and basically what I’ve been trying to work towards is a standard methodology, so that I could kind of hammer through it when I am not working, which seems to be rare.
So what I have to work with is a bunch of PCAP files and SSLStrip outputs (see image). And the reason I did this was because I figured if I am an attacker, it’s really easy just to run SSLStrip. So let’s just assume SSL is useless. And so I decided to take all the information that someone who would be attacking you would have.
Now, later on I want to see absolutely everything sent back to the company. I want to add a root certificate to the phone, and just collect all the information. But for right now, I’ve got a bunch of packet captures and SSLStrip outputs, and that alone has proved very interesting.
1 – Femtocell is a low power small cellular base station, typically designed for use in a home or small business. It connects to the service provider’s network via broadband (such as DSL or cable); current designs typically support two to four active mobile phones in a residential setting, and eight to 16 active mobile phones in enterprise settings.
2 – DD-WRT is a Linux-based firmware for wireless routers. It is a third-party firmware designed to replace the firmware that ships pre-installed on many commercial routers. This is done for a variety of reasons, including the addition of features which are not typically included in a manufacturer’s router firmware.